diff --git a/doc/policy.xml b/doc/policy.xml
index 8ae22432d..3966b1186 100644
--- a/doc/policy.xml
+++ b/doc/policy.xml
@@ -942,7 +942,17 @@ Role allowed access.
 </module>
 <module name="cloudinit" filename="policy/modules/admin/cloudinit.if">
 <summary>Init scripts for cloud VMs</summary>
-<interface name="cloudinit_create_runtime_dirs" lineno="13">
+<interface name="cloudinit_rw_inherited_pipes" lineno="13">
+<summary>
+Read and write inherited cloud-init pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cloudinit_create_runtime_dirs" lineno="32">
 <summary>
 Create cloud-init runtime directory.
 </summary>
@@ -952,7 +962,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="cloudinit_write_runtime_files" lineno="32">
+<interface name="cloudinit_write_runtime_files" lineno="51">
 <summary>
 Write cloud-init runtime files.
 </summary>
@@ -962,7 +972,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="cloudinit_create_runtime_files" lineno="51">
+<interface name="cloudinit_rw_runtime_files" lineno="70">
+<summary>
+Read and write cloud-init runtime files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cloudinit_create_runtime_files" lineno="89">
 <summary>
 Create cloud-init runtime files.
 </summary>
@@ -972,7 +992,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="cloudinit_filetrans_runtime" lineno="81">
+<interface name="cloudinit_filetrans_runtime" lineno="119">
 <summary>
 Create files in /run with the type used for
 cloud-init runtime files.
@@ -993,7 +1013,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="cloudinit_getattr_state_files" lineno="99">
+<interface name="cloudinit_getattr_state_files" lineno="137">
 <summary>
 Get the attribute of cloud-init state files.
 </summary>
@@ -1003,6 +1023,43 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
+<interface name="cloudinit_write_inherited_tmp_files" lineno="158">
+<summary>
+Write inherited cloud-init temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cloudinit_rw_tmp_files" lineno="177">
+<summary>
+Read and write cloud-init temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cloudinit_create_tmp_files" lineno="196">
+<summary>
+Create cloud-init temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<tunable name="cloudinit_manage_non_security" dftval="false">
+<desc>
+<p>
+Enable support for cloud-init to manage all non-security files.
+</p>
+</desc>
+</tunable>
 </module>
 <module name="consoletype" filename="policy/modules/admin/consoletype.if">
 <summary>
@@ -3197,7 +3254,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="rpm_append_tmp_files" lineno="351">
+<interface name="rpm_read_tmp_files" lineno="351">
+<summary>
+Read rpm temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpm_append_tmp_files" lineno="371">
 <summary>
 Append rpm temporary files.
 </summary>
@@ -3207,7 +3274,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="rpm_manage_tmp_files" lineno="371">
+<interface name="rpm_manage_tmp_files" lineno="391">
 <summary>
 Create, read, write, and delete
 rpm temporary files.
@@ -3218,7 +3285,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="rpm_read_script_tmp_files" lineno="390">
+<interface name="rpm_read_script_tmp_files" lineno="410">
 <summary>
 Read rpm script temporary files.
 </summary>
@@ -3228,7 +3295,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="rpm_read_cache" lineno="410">
+<interface name="rpm_read_cache" lineno="430">
 <summary>
 Read rpm cache content.
 </summary>
@@ -3238,7 +3305,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="rpm_manage_cache" lineno="432">
+<interface name="rpm_manage_cache" lineno="452">
 <summary>
 Create, read, write, and delete
 rpm cache content.
@@ -3249,7 +3316,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="rpm_read_db" lineno="453">
+<interface name="rpm_read_db" lineno="473">
 <summary>
 Read rpm lib content.
 </summary>
@@ -3259,7 +3326,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="rpm_delete_db" lineno="475">
+<interface name="rpm_delete_db" lineno="495">
 <summary>
 Delete rpm lib files.
 </summary>
@@ -3269,7 +3336,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="rpm_manage_db" lineno="495">
+<interface name="rpm_manage_db" lineno="515">
 <summary>
 Create, read, write, and delete
 rpm lib files.
@@ -3280,7 +3347,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="rpm_dontaudit_manage_db" lineno="517">
+<interface name="rpm_dontaudit_manage_db" lineno="537">
 <summary>
 Do not audit attempts to create, read,
 write, and delete rpm lib content.
@@ -3291,7 +3358,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="rpm_manage_runtime_files" lineno="539">
+<interface name="rpm_manage_runtime_files" lineno="559">
 <summary>
 Create, read, write, and delete
 rpm runtime files.
@@ -3302,7 +3369,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="rpm_admin" lineno="565">
+<interface name="rpm_admin" lineno="585">
 <summary>
 All of the rules required to
 administrate an rpm environment.
@@ -3751,7 +3818,7 @@ The role associated with the user domain.
 </summary>
 </param>
 </template>
-<template name="su_role_template" lineno="149">
+<template name="su_role_template" lineno="154">
 <summary>
 The role template for the su module.
 </summary>
@@ -3777,7 +3844,7 @@ Role allowed access
 </summary>
 </param>
 </template>
-<interface name="su_exec" lineno="303">
+<interface name="su_exec" lineno="314">
 <summary>
 Execute su in the caller domain.
 </summary>
@@ -3833,7 +3900,7 @@ Role allowed access
 </summary>
 </param>
 </template>
-<interface name="sudo_sigchld" lineno="232">
+<interface name="sudo_sigchld" lineno="233">
 <summary>
 Send a SIGCHLD signal to the sudo domain.
 </summary>
@@ -3843,6 +3910,16 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
+<interface name="sudo_exec" lineno="251">
+<summary>
+Execute sudo in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
 <tunable name="sudo_all_tcp_connect_http_port" dftval="false">
 <desc>
 <p>
@@ -4661,7 +4738,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="chromium_run" lineno="161">
+<interface name="chromium_run" lineno="160">
 <summary>
 Execute chromium in the chromium domain and allow the specified role to access the chromium domain
 </summary>
@@ -10451,7 +10528,18 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="corecmd_exec_all_executables" lineno="753">
+<interface name="corecmd_mmap_read_all_executables" lineno="753">
+<summary>
+Mmap read-only all executable files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="corecmd_exec_all_executables" lineno="773">
 <summary>
 Execute all executable files.
 </summary>
@@ -10462,7 +10550,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="corecmd_dontaudit_exec_all_executables" lineno="774">
+<interface name="corecmd_dontaudit_exec_all_executables" lineno="794">
 <summary>
 Do not audit attempts to execute all executables.
 </summary>
@@ -10472,7 +10560,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="corecmd_manage_all_executables" lineno="793">
+<interface name="corecmd_manage_all_executables" lineno="813">
 <summary>
 Create, read, write, and all executable files.
 </summary>
@@ -10483,7 +10571,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="corecmd_relabel_all_executables" lineno="815">
+<interface name="corecmd_relabel_all_executables" lineno="835">
 <summary>
 Relabel to and from the bin type.
 </summary>
@@ -10494,7 +10582,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="corecmd_mmap_all_executables" lineno="835">
+<interface name="corecmd_mmap_all_executables" lineno="855">
 <summary>
 Mmap all executables as executable.
 </summary>
@@ -10504,7 +10592,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="corecmd_relabel_bin_dirs" lineno="857">
+<interface name="corecmd_relabel_bin_dirs" lineno="877">
 <summary>
 Relabel to and from the bin type.
 </summary>
@@ -10514,7 +10602,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="corecmd_relabel_bin_lnk_files" lineno="875">
+<interface name="corecmd_relabel_bin_lnk_files" lineno="895">
 <summary>
 Relabel to and from the bin type.
 </summary>
@@ -56085,7 +56173,17 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_add_entry_generic_dirs" lineno="275">
+<interface name="dev_dontaudit_execute_dev_nodes" lineno="275">
+<summary>
+Dontaudit attempts to execute device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_add_entry_generic_dirs" lineno="293">
 <summary>
 Add entries to directories in /dev.
 </summary>
@@ -56095,7 +56193,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_remove_entry_generic_dirs" lineno="293">
+<interface name="dev_remove_entry_generic_dirs" lineno="311">
 <summary>
 Remove entries from directories in /dev.
 </summary>
@@ -56105,7 +56203,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_generic_dirs" lineno="311">
+<interface name="dev_create_generic_dirs" lineno="329">
 <summary>
 Create a directory in the device directory.
 </summary>
@@ -56115,7 +56213,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_delete_generic_dirs" lineno="330">
+<interface name="dev_delete_generic_dirs" lineno="348">
 <summary>
 Delete a directory in the device directory.
 </summary>
@@ -56125,7 +56223,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_generic_dirs" lineno="348">
+<interface name="dev_manage_generic_dirs" lineno="366">
 <summary>
 Manage of directories in /dev.
 </summary>
@@ -56135,7 +56233,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_relabel_generic_dev_dirs" lineno="366">
+<interface name="dev_relabel_generic_dev_dirs" lineno="384">
 <summary>
 Allow full relabeling (to and from) of directories in /dev.
 </summary>
@@ -56145,7 +56243,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_generic_files" lineno="384">
+<interface name="dev_dontaudit_getattr_generic_files" lineno="402">
 <summary>
 dontaudit getattr generic files in /dev.
 </summary>
@@ -56155,7 +56253,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_generic_files" lineno="402">
+<interface name="dev_read_generic_files" lineno="420">
 <summary>
 Read generic files in /dev.
 </summary>
@@ -56165,7 +56263,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_generic_files" lineno="420">
+<interface name="dev_rw_generic_files" lineno="438">
 <summary>
 Read and write generic files in /dev.
 </summary>
@@ -56175,7 +56273,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_delete_generic_files" lineno="438">
+<interface name="dev_delete_generic_files" lineno="456">
 <summary>
 Delete generic files in /dev.
 </summary>
@@ -56185,7 +56283,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_generic_files" lineno="456">
+<interface name="dev_manage_generic_files" lineno="474">
 <summary>
 Create a file in the device directory.
 </summary>
@@ -56195,7 +56293,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_generic_pipes" lineno="474">
+<interface name="dev_dontaudit_getattr_generic_pipes" lineno="492">
 <summary>
 Dontaudit getattr on generic pipes.
 </summary>
@@ -56205,7 +56303,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_generic_sockets" lineno="492">
+<interface name="dev_write_generic_sockets" lineno="510">
 <summary>
 Write generic socket files in /dev.
 </summary>
@@ -56215,7 +56313,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_generic_blk_files" lineno="510">
+<interface name="dev_getattr_generic_blk_files" lineno="528">
 <summary>
 Allow getattr on generic block devices.
 </summary>
@@ -56225,7 +56323,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_generic_blk_files" lineno="528">
+<interface name="dev_dontaudit_getattr_generic_blk_files" lineno="546">
 <summary>
 Dontaudit getattr on generic block devices.
 </summary>
@@ -56235,7 +56333,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_generic_blk_files" lineno="547">
+<interface name="dev_setattr_generic_blk_files" lineno="565">
 <summary>
 Set the attributes on generic
 block devices.
@@ -56246,7 +56344,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_setattr_generic_blk_files" lineno="565">
+<interface name="dev_dontaudit_setattr_generic_blk_files" lineno="583">
 <summary>
 Dontaudit setattr on generic block devices.
 </summary>
@@ -56256,7 +56354,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_generic_blk_files" lineno="583">
+<interface name="dev_create_generic_blk_files" lineno="601">
 <summary>
 Create generic block device files.
 </summary>
@@ -56266,7 +56364,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_delete_generic_blk_files" lineno="601">
+<interface name="dev_delete_generic_blk_files" lineno="619">
 <summary>
 Delete generic block device files.
 </summary>
@@ -56276,7 +56374,18 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_generic_chr_files" lineno="619">
+<interface name="dev_dontaudit_relabelto_generic_blk_files" lineno="638">
+<summary>
+Dontaudit relabelto the generic device
+type on block files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_generic_chr_files" lineno="656">
 <summary>
 Allow getattr for generic character device files.
 </summary>
@@ -56286,7 +56395,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_generic_chr_files" lineno="637">
+<interface name="dev_dontaudit_getattr_generic_chr_files" lineno="674">
 <summary>
 Dontaudit getattr for generic character device files.
 </summary>
@@ -56296,7 +56405,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_generic_chr_files" lineno="656">
+<interface name="dev_setattr_generic_chr_files" lineno="693">
 <summary>
 Set the attributes for generic
 character device files.
@@ -56307,7 +56416,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_setattr_generic_chr_files" lineno="674">
+<interface name="dev_dontaudit_setattr_generic_chr_files" lineno="711">
 <summary>
 Dontaudit setattr for generic character device files.
 </summary>
@@ -56317,7 +56426,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_generic_chr_files" lineno="692">
+<interface name="dev_read_generic_chr_files" lineno="729">
 <summary>
 Read generic character device files.
 </summary>
@@ -56327,7 +56436,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_generic_chr_files" lineno="710">
+<interface name="dev_rw_generic_chr_files" lineno="747">
 <summary>
 Read and write generic character device files.
 </summary>
@@ -56337,7 +56446,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_generic_blk_files" lineno="728">
+<interface name="dev_rw_generic_blk_files" lineno="765">
 <summary>
 Read and write generic block device files.
 </summary>
@@ -56347,7 +56456,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_rw_generic_chr_files" lineno="746">
+<interface name="dev_dontaudit_rw_generic_chr_files" lineno="783">
 <summary>
 Dontaudit attempts to read/write generic character device files.
 </summary>
@@ -56357,7 +56466,7 @@ Domain to dontaudit access.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_generic_chr_files" lineno="764">
+<interface name="dev_create_generic_chr_files" lineno="801">
 <summary>
 Create generic character device files.
 </summary>
@@ -56367,7 +56476,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_delete_generic_chr_files" lineno="782">
+<interface name="dev_delete_generic_chr_files" lineno="819">
 <summary>
 Delete generic character device files.
 </summary>
@@ -56377,7 +56486,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_relabelfrom_generic_chr_files" lineno="800">
+<interface name="dev_relabelfrom_generic_chr_files" lineno="837">
 <summary>
 Relabel from generic character device files.
 </summary>
@@ -56387,7 +56496,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_setattr_generic_symlinks" lineno="819">
+<interface name="dev_dontaudit_setattr_generic_symlinks" lineno="856">
 <summary>
 Do not audit attempts to set the attributes
 of symbolic links in device directories (/dev).
@@ -56398,7 +56507,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_generic_symlinks" lineno="837">
+<interface name="dev_read_generic_symlinks" lineno="874">
 <summary>
 Read symbolic links in device directories.
 </summary>
@@ -56408,7 +56517,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_generic_symlinks" lineno="855">
+<interface name="dev_create_generic_symlinks" lineno="892">
 <summary>
 Create symbolic links in device directories.
 </summary>
@@ -56418,7 +56527,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_delete_generic_symlinks" lineno="873">
+<interface name="dev_delete_generic_symlinks" lineno="910">
 <summary>
 Delete symbolic links in device directories.
 </summary>
@@ -56428,7 +56537,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_generic_symlinks" lineno="891">
+<interface name="dev_manage_generic_symlinks" lineno="928">
 <summary>
 Create, delete, read, and write symbolic links in device directories.
 </summary>
@@ -56438,7 +56547,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_relabel_generic_symlinks" lineno="909">
+<interface name="dev_relabel_generic_symlinks" lineno="946">
 <summary>
 Relabel symbolic links in device directories.
 </summary>
@@ -56448,7 +56557,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_generic_sock_files" lineno="927">
+<interface name="dev_write_generic_sock_files" lineno="964">
 <summary>
 Write generic sock files in /dev.
 </summary>
@@ -56458,7 +56567,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_all_dev_nodes" lineno="945">
+<interface name="dev_manage_all_dev_nodes" lineno="982">
 <summary>
 Create, delete, read, and write device nodes in device directories.
 </summary>
@@ -56468,7 +56577,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_rw_generic_dev_nodes" lineno="986">
+<interface name="dev_dontaudit_rw_generic_dev_nodes" lineno="1023">
 <summary>
 Dontaudit getattr for generic device files.
 </summary>
@@ -56478,7 +56587,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_generic_blk_files" lineno="1004">
+<interface name="dev_manage_generic_blk_files" lineno="1041">
 <summary>
 Create, delete, read, and write block device files.
 </summary>
@@ -56488,7 +56597,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_generic_chr_files" lineno="1022">
+<interface name="dev_manage_generic_chr_files" lineno="1059">
 <summary>
 Create, delete, read, and write character device files.
 </summary>
@@ -56498,7 +56607,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_filetrans" lineno="1057">
+<interface name="dev_filetrans" lineno="1094">
 <summary>
 Create, read, and write device nodes. The node
 will be transitioned to the type provided.
@@ -56525,7 +56634,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="dev_tmpfs_filetrans_dev" lineno="1092">
+<interface name="dev_tmpfs_filetrans_dev" lineno="1129">
 <summary>
 Create, read, and write device nodes. The node
 will be transitioned to the type provided.  This is
@@ -56549,7 +56658,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_all_blk_files" lineno="1111">
+<interface name="dev_getattr_all_blk_files" lineno="1148">
 <summary>
 Getattr on all block file device nodes.
 </summary>
@@ -56560,7 +56669,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="dev_dontaudit_getattr_all_blk_files" lineno="1130">
+<interface name="dev_dontaudit_getattr_all_blk_files" lineno="1167">
 <summary>
 Dontaudit getattr on all block file device nodes.
 </summary>
@@ -56570,7 +56679,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_all_chr_files" lineno="1150">
+<interface name="dev_getattr_all_chr_files" lineno="1187">
 <summary>
 Getattr on all character file device nodes.
 </summary>
@@ -56581,7 +56690,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="dev_dontaudit_getattr_all_chr_files" lineno="1169">
+<interface name="dev_dontaudit_getattr_all_chr_files" lineno="1206">
 <summary>
 Dontaudit getattr on all character file device nodes.
 </summary>
@@ -56591,7 +56700,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_all_blk_files" lineno="1189">
+<interface name="dev_setattr_all_blk_files" lineno="1226">
 <summary>
 Setattr on all block file device nodes.
 </summary>
@@ -56602,7 +56711,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="dev_setattr_all_chr_files" lineno="1209">
+<interface name="dev_setattr_all_chr_files" lineno="1246">
 <summary>
 Setattr on all character file device nodes.
 </summary>
@@ -56613,7 +56722,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="dev_dontaudit_read_all_blk_files" lineno="1228">
+<interface name="dev_dontaudit_read_all_blk_files" lineno="1265">
 <summary>
 Dontaudit read on all block file device nodes.
 </summary>
@@ -56623,7 +56732,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_write_all_blk_files" lineno="1246">
+<interface name="dev_dontaudit_write_all_blk_files" lineno="1283">
 <summary>
 Dontaudit write on all block file device nodes.
 </summary>
@@ -56633,7 +56742,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_read_all_chr_files" lineno="1264">
+<interface name="dev_dontaudit_read_all_chr_files" lineno="1301">
 <summary>
 Dontaudit read on all character file device nodes.
 </summary>
@@ -56643,7 +56752,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_write_all_chr_files" lineno="1282">
+<interface name="dev_dontaudit_write_all_chr_files" lineno="1319">
 <summary>
 Dontaudit write on all character file device nodes.
 </summary>
@@ -56653,7 +56762,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_all_blk_files" lineno="1300">
+<interface name="dev_create_all_blk_files" lineno="1337">
 <summary>
 Create all block device files.
 </summary>
@@ -56663,7 +56772,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_all_chr_files" lineno="1319">
+<interface name="dev_create_all_chr_files" lineno="1356">
 <summary>
 Create all character device files.
 </summary>
@@ -56673,7 +56782,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_delete_all_blk_files" lineno="1338">
+<interface name="dev_delete_all_blk_files" lineno="1375">
 <summary>
 Delete all block device files.
 </summary>
@@ -56683,7 +56792,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_delete_all_chr_files" lineno="1357">
+<interface name="dev_delete_all_chr_files" lineno="1394">
 <summary>
 Delete all character device files.
 </summary>
@@ -56693,7 +56802,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rename_all_blk_files" lineno="1376">
+<interface name="dev_rename_all_blk_files" lineno="1413">
 <summary>
 Rename all block device files.
 </summary>
@@ -56703,7 +56812,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rename_all_chr_files" lineno="1395">
+<interface name="dev_rename_all_chr_files" lineno="1432">
 <summary>
 Rename all character device files.
 </summary>
@@ -56713,7 +56822,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_all_blk_files" lineno="1414">
+<interface name="dev_manage_all_blk_files" lineno="1451">
 <summary>
 Read, write, create, and delete all block device files.
 </summary>
@@ -56723,7 +56832,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_all_chr_files" lineno="1439">
+<interface name="dev_manage_all_chr_files" lineno="1476">
 <summary>
 Read, write, create, and delete all character device files.
 </summary>
@@ -56733,7 +56842,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_acpi_bios_dev" lineno="1460">
+<interface name="dev_getattr_acpi_bios_dev" lineno="1497">
 <summary>
 Get the attributes of the apm bios device node.
 </summary>
@@ -56743,7 +56852,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_acpi_bios_dev" lineno="1479">
+<interface name="dev_dontaudit_getattr_acpi_bios_dev" lineno="1516">
 <summary>
 Do not audit attempts to get the attributes of
 the apm bios device node.
@@ -56754,7 +56863,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_acpi_bios_dev" lineno="1497">
+<interface name="dev_setattr_acpi_bios_dev" lineno="1534">
 <summary>
 Set the attributes of the apm bios device node.
 </summary>
@@ -56764,7 +56873,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_setattr_acpi_bios_dev" lineno="1516">
+<interface name="dev_dontaudit_setattr_acpi_bios_dev" lineno="1553">
 <summary>
 Do not audit attempts to set the attributes of
 the apm bios device node.
@@ -56775,7 +56884,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_acpi_bios" lineno="1534">
+<interface name="dev_rw_acpi_bios" lineno="1571">
 <summary>
 Read and write the apm bios.
 </summary>
@@ -56785,7 +56894,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_agp_dev" lineno="1552">
+<interface name="dev_getattr_agp_dev" lineno="1589">
 <summary>
 Getattr the agp devices.
 </summary>
@@ -56795,7 +56904,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_agp" lineno="1570">
+<interface name="dev_rw_agp" lineno="1607">
 <summary>
 Read and write the agp devices.
 </summary>
@@ -56805,7 +56914,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_autofs_dev" lineno="1589">
+<interface name="dev_getattr_autofs_dev" lineno="1626">
 <summary>
 Get the attributes of the autofs device node.
 </summary>
@@ -56815,7 +56924,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_autofs_dev" lineno="1608">
+<interface name="dev_dontaudit_getattr_autofs_dev" lineno="1645">
 <summary>
 Do not audit attempts to get the attributes of
 the autofs device node.
@@ -56826,7 +56935,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_autofs_dev" lineno="1626">
+<interface name="dev_setattr_autofs_dev" lineno="1663">
 <summary>
 Set the attributes of the autofs device node.
 </summary>
@@ -56836,7 +56945,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_setattr_autofs_dev" lineno="1645">
+<interface name="dev_dontaudit_setattr_autofs_dev" lineno="1682">
 <summary>
 Do not audit attempts to set the attributes of
 the autofs device node.
@@ -56847,7 +56956,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_autofs" lineno="1663">
+<interface name="dev_rw_autofs" lineno="1700">
 <summary>
 Read and write the autofs device.
 </summary>
@@ -56857,7 +56966,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_relabel_autofs_dev" lineno="1681">
+<interface name="dev_relabel_autofs_dev" lineno="1718">
 <summary>
 Relabel the autofs device node.
 </summary>
@@ -56867,7 +56976,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_cachefiles" lineno="1700">
+<interface name="dev_rw_cachefiles" lineno="1737">
 <summary>
 Read and write cachefiles character
 device nodes.
@@ -56878,7 +56987,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_cardmgr" lineno="1718">
+<interface name="dev_rw_cardmgr" lineno="1755">
 <summary>
 Read and write the PCMCIA card manager device.
 </summary>
@@ -56888,7 +56997,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_rw_cardmgr" lineno="1737">
+<interface name="dev_dontaudit_rw_cardmgr" lineno="1774">
 <summary>
 Do not audit attempts to read and
 write the PCMCIA card manager device.
@@ -56899,7 +57008,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_cardmgr_dev" lineno="1757">
+<interface name="dev_create_cardmgr_dev" lineno="1794">
 <summary>
 Create, read, write, and delete
 the PCMCIA card manager device
@@ -56911,7 +57020,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_cardmgr_dev" lineno="1777">
+<interface name="dev_manage_cardmgr_dev" lineno="1814">
 <summary>
 Create, read, write, and delete
 the PCMCIA card manager device.
@@ -56922,7 +57031,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_filetrans_cardmgr" lineno="1803">
+<interface name="dev_filetrans_cardmgr" lineno="1840">
 <summary>
 Automatic type transition to the type
 for PCMCIA card manager device nodes when
@@ -56939,7 +57048,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_cpu_dev" lineno="1822">
+<interface name="dev_getattr_cpu_dev" lineno="1859">
 <summary>
 Get the attributes of the CPU
 microcode and id interfaces.
@@ -56950,7 +57059,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_cpu_dev" lineno="1841">
+<interface name="dev_setattr_cpu_dev" lineno="1878">
 <summary>
 Set the attributes of the CPU
 microcode and id interfaces.
@@ -56961,7 +57070,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_cpuid" lineno="1859">
+<interface name="dev_read_cpuid" lineno="1896">
 <summary>
 Read the CPU identity.
 </summary>
@@ -56971,7 +57080,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_cpu_microcode" lineno="1878">
+<interface name="dev_rw_cpu_microcode" lineno="1915">
 <summary>
 Read and write the the CPU microcode device. This
 is required to load CPU microcode.
@@ -56982,7 +57091,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_crash" lineno="1896">
+<interface name="dev_read_crash" lineno="1933">
 <summary>
 Read the kernel crash device
 </summary>
@@ -56992,7 +57101,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_crypto" lineno="1914">
+<interface name="dev_rw_crypto" lineno="1951">
 <summary>
 Read and write the the hardware SSL accelerator.
 </summary>
@@ -57002,7 +57111,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_dlm_control" lineno="1932">
+<interface name="dev_setattr_dlm_control" lineno="1969">
 <summary>
 Set the attributes of the dlm control devices.
 </summary>
@@ -57012,7 +57121,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_dlm_control" lineno="1950">
+<interface name="dev_rw_dlm_control" lineno="1987">
 <summary>
 Read and write the the dlm control device
 </summary>
@@ -57022,7 +57131,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_dri_dev" lineno="1968">
+<interface name="dev_getattr_dri_dev" lineno="2005">
 <summary>
 getattr the dri devices.
 </summary>
@@ -57032,7 +57141,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_dri_dev" lineno="1986">
+<interface name="dev_setattr_dri_dev" lineno="2023">
 <summary>
 Setattr the dri devices.
 </summary>
@@ -57042,7 +57151,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_ioctl_dri_dev" lineno="2004">
+<interface name="dev_ioctl_dri_dev" lineno="2041">
 <summary>
 IOCTL the dri devices.
 </summary>
@@ -57052,7 +57161,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_dri" lineno="2022">
+<interface name="dev_rw_dri" lineno="2059">
 <summary>
 Read and write the dri devices.
 </summary>
@@ -57062,7 +57171,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_rw_dri" lineno="2041">
+<interface name="dev_dontaudit_rw_dri" lineno="2078">
 <summary>
 Dontaudit read and write on the dri devices.
 </summary>
@@ -57072,7 +57181,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_dri_dev" lineno="2059">
+<interface name="dev_manage_dri_dev" lineno="2096">
 <summary>
 Create, read, write, and delete the dri devices.
 </summary>
@@ -57082,7 +57191,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_filetrans_dri" lineno="2084">
+<interface name="dev_mounton_dri_dev" lineno="2115">
+<summary>
+Mount on the dri devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_filetrans_dri" lineno="2139">
 <summary>
 Automatic type transition to the type
 for DRI device nodes when created in /dev.
@@ -57098,7 +57217,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="dev_filetrans_input_dev" lineno="2108">
+<interface name="dev_filetrans_input_dev" lineno="2163">
 <summary>
 Automatic type transition to the type
 for event device nodes when created in /dev.
@@ -57114,7 +57233,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_input_dev" lineno="2126">
+<interface name="dev_getattr_input_dev" lineno="2181">
 <summary>
 Get the attributes of the event devices.
 </summary>
@@ -57124,7 +57243,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_input_dev" lineno="2145">
+<interface name="dev_setattr_input_dev" lineno="2200">
 <summary>
 Set the attributes of the event devices.
 </summary>
@@ -57134,7 +57253,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_input" lineno="2164">
+<interface name="dev_read_input" lineno="2219">
 <summary>
 Read input event devices (/dev/input).
 </summary>
@@ -57144,7 +57263,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_input_dev" lineno="2182">
+<interface name="dev_rw_input_dev" lineno="2237">
 <summary>
 Read and write input event devices (/dev/input).
 </summary>
@@ -57154,7 +57273,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_input_dev" lineno="2200">
+<interface name="dev_manage_input_dev" lineno="2255">
 <summary>
 Create, read, write, and delete input event devices (/dev/input).
 </summary>
@@ -57164,7 +57283,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_ioctl_input_dev" lineno="2218">
+<interface name="dev_ioctl_input_dev" lineno="2273">
 <summary>
 IOCTL the input event devices (/dev/input).
 </summary>
@@ -57174,7 +57293,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_ipmi_dev" lineno="2236">
+<interface name="dev_rw_ipmi_dev" lineno="2291">
 <summary>
 Read and write ipmi devices (/dev/ipmi*).
 </summary>
@@ -57184,7 +57303,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_framebuffer_dev" lineno="2254">
+<interface name="dev_getattr_framebuffer_dev" lineno="2309">
 <summary>
 Get the attributes of the framebuffer device node.
 </summary>
@@ -57194,7 +57313,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_framebuffer_dev" lineno="2272">
+<interface name="dev_setattr_framebuffer_dev" lineno="2327">
 <summary>
 Set the attributes of the framebuffer device node.
 </summary>
@@ -57204,7 +57323,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_setattr_framebuffer_dev" lineno="2291">
+<interface name="dev_dontaudit_setattr_framebuffer_dev" lineno="2346">
 <summary>
 Dot not audit attempts to set the attributes
 of the framebuffer device node.
@@ -57215,7 +57334,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_framebuffer" lineno="2309">
+<interface name="dev_read_framebuffer" lineno="2364">
 <summary>
 Read the framebuffer.
 </summary>
@@ -57225,7 +57344,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_read_framebuffer" lineno="2327">
+<interface name="dev_dontaudit_read_framebuffer" lineno="2382">
 <summary>
 Do not audit attempts to read the framebuffer.
 </summary>
@@ -57235,7 +57354,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_framebuffer" lineno="2345">
+<interface name="dev_write_framebuffer" lineno="2400">
 <summary>
 Write the framebuffer.
 </summary>
@@ -57245,7 +57364,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_framebuffer" lineno="2363">
+<interface name="dev_rw_framebuffer" lineno="2418">
 <summary>
 Read and write the framebuffer.
 </summary>
@@ -57255,7 +57374,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_hyperv_kvp" lineno="2381">
+<interface name="dev_rw_hyperv_kvp" lineno="2436">
 <summary>
 Allow read/write the hypervkvp device
 </summary>
@@ -57265,7 +57384,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_hyperv_vss" lineno="2399">
+<interface name="dev_rw_hyperv_vss" lineno="2454">
 <summary>
 Allow read/write the hypervvssd device
 </summary>
@@ -57275,7 +57394,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_iio" lineno="2417">
+<interface name="dev_read_iio" lineno="2472">
 <summary>
 Allow read/write access to InfiniBand devices.
 </summary>
@@ -57285,7 +57404,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_infiniband" lineno="2435">
+<interface name="dev_rw_infiniband" lineno="2490">
 <summary>
 Allow read/write access to InfiniBand devices.
 </summary>
@@ -57295,7 +57414,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_kmsg" lineno="2453">
+<interface name="dev_read_kmsg" lineno="2508">
 <summary>
 Read the kernel messages
 </summary>
@@ -57305,7 +57424,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_read_kmsg" lineno="2471">
+<interface name="dev_dontaudit_read_kmsg" lineno="2526">
 <summary>
 Do not audit attempts to read the kernel messages
 </summary>
@@ -57315,7 +57434,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_kmsg" lineno="2489">
+<interface name="dev_write_kmsg" lineno="2544">
 <summary>
 Write to the kernel messages device
 </summary>
@@ -57325,7 +57444,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_kmsg" lineno="2507">
+<interface name="dev_rw_kmsg" lineno="2562">
 <summary>
 Read and write to the kernel messages device
 </summary>
@@ -57335,7 +57454,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_mounton_kmsg" lineno="2525">
+<interface name="dev_mounton_kmsg" lineno="2580">
 <summary>
 Mount on the kernel messages device
 </summary>
@@ -57345,7 +57464,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_ksm_dev" lineno="2543">
+<interface name="dev_getattr_ksm_dev" lineno="2598">
 <summary>
 Get the attributes of the ksm devices.
 </summary>
@@ -57355,7 +57474,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_ksm_dev" lineno="2561">
+<interface name="dev_setattr_ksm_dev" lineno="2616">
 <summary>
 Set the attributes of the ksm devices.
 </summary>
@@ -57365,7 +57484,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_ksm" lineno="2579">
+<interface name="dev_read_ksm" lineno="2634">
 <summary>
 Read the ksm devices.
 </summary>
@@ -57375,7 +57494,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_ksm" lineno="2597">
+<interface name="dev_rw_ksm" lineno="2652">
 <summary>
 Read and write to ksm devices.
 </summary>
@@ -57385,7 +57504,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_kvm_dev" lineno="2615">
+<interface name="dev_getattr_kvm_dev" lineno="2670">
 <summary>
 Get the attributes of the kvm devices.
 </summary>
@@ -57395,7 +57514,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_kvm_dev" lineno="2633">
+<interface name="dev_setattr_kvm_dev" lineno="2688">
 <summary>
 Set the attributes of the kvm devices.
 </summary>
@@ -57405,7 +57524,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_kvm" lineno="2651">
+<interface name="dev_read_kvm" lineno="2706">
 <summary>
 Read the kvm devices.
 </summary>
@@ -57415,7 +57534,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_kvm" lineno="2669">
+<interface name="dev_rw_kvm" lineno="2724">
 <summary>
 Read and write to kvm devices.
 </summary>
@@ -57425,7 +57544,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_lirc" lineno="2687">
+<interface name="dev_read_lirc" lineno="2742">
 <summary>
 Read the lirc device.
 </summary>
@@ -57435,7 +57554,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_lirc" lineno="2705">
+<interface name="dev_rw_lirc" lineno="2760">
 <summary>
 Read and write the lirc device.
 </summary>
@@ -57445,7 +57564,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_filetrans_lirc" lineno="2729">
+<interface name="dev_filetrans_lirc" lineno="2784">
 <summary>
 Automatic type transition to the type
 for lirc device nodes when created in /dev.
@@ -57461,7 +57580,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_loop_control" lineno="2747">
+<interface name="dev_rw_loop_control" lineno="2802">
 <summary>
 Read and write the loop-control device.
 </summary>
@@ -57471,7 +57590,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_lvm_control" lineno="2765">
+<interface name="dev_getattr_lvm_control" lineno="2820">
 <summary>
 Get the attributes of the lvm comtrol device.
 </summary>
@@ -57481,7 +57600,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_lvm_control" lineno="2783">
+<interface name="dev_read_lvm_control" lineno="2838">
 <summary>
 Read the lvm comtrol device.
 </summary>
@@ -57491,7 +57610,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_lvm_control" lineno="2801">
+<interface name="dev_rw_lvm_control" lineno="2856">
 <summary>
 Read and write the lvm control device.
 </summary>
@@ -57501,7 +57620,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_rw_lvm_control" lineno="2819">
+<interface name="dev_dontaudit_rw_lvm_control" lineno="2874">
 <summary>
 Do not audit attempts to read and write lvm control device.
 </summary>
@@ -57511,7 +57630,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_delete_lvm_control_dev" lineno="2837">
+<interface name="dev_delete_lvm_control_dev" lineno="2892">
 <summary>
 Delete the lvm control device.
 </summary>
@@ -57521,7 +57640,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_memory_dev" lineno="2855">
+<interface name="dev_dontaudit_getattr_memory_dev" lineno="2910">
 <summary>
 dontaudit getattr raw memory devices (e.g. /dev/mem).
 </summary>
@@ -57531,7 +57650,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_raw_memory" lineno="2876">
+<interface name="dev_read_raw_memory" lineno="2931">
 <summary>
 Read raw memory devices (e.g. /dev/mem).
 This is extremely dangerous as it can bypass the
@@ -57544,7 +57663,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_raw_memory_cond" lineno="2906">
+<interface name="dev_read_raw_memory_cond" lineno="2961">
 <summary>
 Read raw memory devices (e.g. /dev/mem) if a tunable is set.
 This is extremely dangerous as it can bypass the
@@ -57562,7 +57681,7 @@ Tunable to depend on
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_read_raw_memory" lineno="2933">
+<interface name="dev_dontaudit_read_raw_memory" lineno="2988">
 <summary>
 Do not audit attempts to read raw memory devices
 (e.g. /dev/mem).
@@ -57576,7 +57695,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_raw_memory" lineno="2954">
+<interface name="dev_write_raw_memory" lineno="3009">
 <summary>
 Write raw memory devices (e.g. /dev/mem).
 This is extremely dangerous as it can bypass the
@@ -57589,7 +57708,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_raw_memory_cond" lineno="2984">
+<interface name="dev_write_raw_memory_cond" lineno="3039">
 <summary>
 Write raw memory devices (e.g. /dev/mem) if a tunable is set.
 This is extremely dangerous as it can bypass the
@@ -57607,7 +57726,7 @@ Tunable to depend on
 </summary>
 </param>
 </interface>
-<interface name="dev_rx_raw_memory" lineno="3010">
+<interface name="dev_rx_raw_memory" lineno="3065">
 <summary>
 Read and execute raw memory devices (e.g. /dev/mem).
 This is extremely dangerous as it can bypass the
@@ -57620,7 +57739,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_wx_raw_memory" lineno="3032">
+<interface name="dev_wx_raw_memory" lineno="3087">
 <summary>
 Write and execute raw memory devices (e.g. /dev/mem).
 This is extremely dangerous as it can bypass the
@@ -57633,7 +57752,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_wx_raw_memory_cond" lineno="3059">
+<interface name="dev_wx_raw_memory_cond" lineno="3114">
 <summary>
 Write and execute raw memory devices (e.g. /dev/mem) if a tunable is set.
 This is extremely dangerous as it can bypass the
@@ -57651,7 +57770,7 @@ Tunable to depend on
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_misc_dev" lineno="3082">
+<interface name="dev_getattr_misc_dev" lineno="3137">
 <summary>
 Get the attributes of miscellaneous devices.
 </summary>
@@ -57661,7 +57780,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_misc_dev" lineno="3101">
+<interface name="dev_dontaudit_getattr_misc_dev" lineno="3156">
 <summary>
 Do not audit attempts to get the attributes
 of miscellaneous devices.
@@ -57672,7 +57791,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_misc_dev" lineno="3119">
+<interface name="dev_setattr_misc_dev" lineno="3174">
 <summary>
 Set the attributes of miscellaneous devices.
 </summary>
@@ -57682,7 +57801,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_setattr_misc_dev" lineno="3138">
+<interface name="dev_dontaudit_setattr_misc_dev" lineno="3193">
 <summary>
 Do not audit attempts to set the attributes
 of miscellaneous devices.
@@ -57693,7 +57812,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_misc" lineno="3156">
+<interface name="dev_read_misc" lineno="3211">
 <summary>
 Read miscellaneous devices.
 </summary>
@@ -57703,7 +57822,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_misc" lineno="3174">
+<interface name="dev_write_misc" lineno="3229">
 <summary>
 Write miscellaneous devices.
 </summary>
@@ -57713,7 +57832,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_rw_misc" lineno="3192">
+<interface name="dev_dontaudit_rw_misc" lineno="3247">
 <summary>
 Do not audit attempts to read and write miscellaneous devices.
 </summary>
@@ -57723,7 +57842,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_modem_dev" lineno="3210">
+<interface name="dev_getattr_modem_dev" lineno="3265">
 <summary>
 Get the attributes of the modem devices.
 </summary>
@@ -57733,7 +57852,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_modem_dev" lineno="3228">
+<interface name="dev_setattr_modem_dev" lineno="3283">
 <summary>
 Set the attributes of the modem devices.
 </summary>
@@ -57743,7 +57862,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_modem" lineno="3246">
+<interface name="dev_read_modem" lineno="3301">
 <summary>
 Read the modem devices.
 </summary>
@@ -57753,7 +57872,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_modem" lineno="3264">
+<interface name="dev_rw_modem" lineno="3319">
 <summary>
 Read and write to modem devices.
 </summary>
@@ -57763,7 +57882,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_mouse_dev" lineno="3282">
+<interface name="dev_getattr_mouse_dev" lineno="3337">
 <summary>
 Get the attributes of the mouse devices.
 </summary>
@@ -57773,7 +57892,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_mouse_dev" lineno="3300">
+<interface name="dev_setattr_mouse_dev" lineno="3355">
 <summary>
 Set the attributes of the mouse devices.
 </summary>
@@ -57783,7 +57902,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_mouse" lineno="3318">
+<interface name="dev_delete_mouse_dev" lineno="3373">
+<summary>
+Delete the mouse devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_mouse" lineno="3391">
 <summary>
 Read the mouse devices.
 </summary>
@@ -57793,7 +57922,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_mouse" lineno="3336">
+<interface name="dev_rw_mouse" lineno="3409">
 <summary>
 Read and write to mouse devices.
 </summary>
@@ -57803,7 +57932,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_mtrr_dev" lineno="3355">
+<interface name="dev_getattr_mtrr_dev" lineno="3428">
 <summary>
 Get the attributes of the memory type range
 registers (MTRR) device.
@@ -57814,7 +57943,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_write_mtrr" lineno="3375">
+<interface name="dev_dontaudit_write_mtrr" lineno="3448">
 <summary>
 Do not audit attempts to write the memory type
 range registers (MTRR).
@@ -57825,7 +57954,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_mtrr" lineno="3394">
+<interface name="dev_rw_mtrr" lineno="3467">
 <summary>
 Read and write the memory type range registers (MTRR).
 </summary>
@@ -57835,7 +57964,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_null_dev" lineno="3413">
+<interface name="dev_getattr_null_dev" lineno="3486">
 <summary>
 Get the attributes of the null device nodes.
 </summary>
@@ -57845,7 +57974,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_null_dev" lineno="3431">
+<interface name="dev_setattr_null_dev" lineno="3504">
 <summary>
 Set the attributes of the null device nodes.
 </summary>
@@ -57855,7 +57984,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_setattr_null_dev" lineno="3450">
+<interface name="dev_dontaudit_setattr_null_dev" lineno="3523">
 <summary>
 Do not audit attempts to set the attributes of
 the null device nodes.
@@ -57866,7 +57995,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_delete_null" lineno="3468">
+<interface name="dev_delete_null" lineno="3541">
 <summary>
 Delete the null device (/dev/null).
 </summary>
@@ -57876,7 +58005,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_null" lineno="3486">
+<interface name="dev_rw_null" lineno="3559">
 <summary>
 Read and write to the null device (/dev/null).
 </summary>
@@ -57886,7 +58015,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_null_dev" lineno="3504">
+<interface name="dev_create_null_dev" lineno="3577">
 <summary>
 Create the null device (/dev/null).
 </summary>
@@ -57896,7 +58025,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_null_service" lineno="3523">
+<interface name="dev_manage_null_service" lineno="3596">
 <summary>
 Manage services with script type null_device_t for when
 /lib/systemd/system/something.service is a link to /dev/null
@@ -57907,7 +58036,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_nvram_dev" lineno="3543">
+<interface name="dev_dontaudit_getattr_nvram_dev" lineno="3616">
 <summary>
 Do not audit attempts to get the attributes
 of the BIOS non-volatile RAM device.
@@ -57918,7 +58047,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_nvram" lineno="3561">
+<interface name="dev_rw_nvram" lineno="3634">
 <summary>
 Read and write BIOS non-volatile RAM.
 </summary>
@@ -57928,7 +58057,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_printer_dev" lineno="3579">
+<interface name="dev_getattr_printer_dev" lineno="3652">
 <summary>
 Get the attributes of the printer device nodes.
 </summary>
@@ -57938,7 +58067,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_printer_dev" lineno="3597">
+<interface name="dev_setattr_printer_dev" lineno="3670">
 <summary>
 Set the attributes of the printer device nodes.
 </summary>
@@ -57948,7 +58077,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_append_printer" lineno="3616">
+<interface name="dev_append_printer" lineno="3689">
 <summary>
 Append the printer device.
 </summary>
@@ -57958,7 +58087,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_printer" lineno="3634">
+<interface name="dev_rw_printer" lineno="3707">
 <summary>
 Read and write the printer device.
 </summary>
@@ -57968,7 +58097,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_pmqos_dev" lineno="3652">
+<interface name="dev_getattr_pmqos_dev" lineno="3725">
 <summary>
 Get the attributes of PM QoS devices
 </summary>
@@ -57978,7 +58107,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_pmqos" lineno="3670">
+<interface name="dev_read_pmqos" lineno="3743">
 <summary>
 Read the PM QoS devices.
 </summary>
@@ -57988,7 +58117,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_pmqos" lineno="3688">
+<interface name="dev_rw_pmqos" lineno="3761">
 <summary>
 Read and write the the PM QoS devices.
 </summary>
@@ -57998,7 +58127,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_qemu_dev" lineno="3707">
+<interface name="dev_getattr_qemu_dev" lineno="3780">
 <summary>
 Get the attributes of the QEMU
 microcode and id interfaces.
@@ -58009,7 +58138,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_qemu_dev" lineno="3726">
+<interface name="dev_setattr_qemu_dev" lineno="3799">
 <summary>
 Set the attributes of the QEMU
 microcode and id interfaces.
@@ -58020,7 +58149,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_qemu" lineno="3744">
+<interface name="dev_read_qemu" lineno="3817">
 <summary>
 Read the QEMU device
 </summary>
@@ -58030,7 +58159,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_qemu" lineno="3762">
+<interface name="dev_rw_qemu" lineno="3835">
 <summary>
 Read and write the the QEMU device.
 </summary>
@@ -58040,7 +58169,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_rand" lineno="3796">
+<interface name="dev_read_rand" lineno="3869">
 <summary>
 Read from random number generator
 devices (e.g., /dev/random).
@@ -58066,7 +58195,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="dev_dontaudit_read_rand" lineno="3815">
+<interface name="dev_dontaudit_read_rand" lineno="3888">
 <summary>
 Do not audit attempts to read from random
 number generator devices (e.g., /dev/random)
@@ -58077,7 +58206,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_append_rand" lineno="3834">
+<interface name="dev_dontaudit_append_rand" lineno="3907">
 <summary>
 Do not audit attempts to append to random
 number generator devices (e.g., /dev/random)
@@ -58088,7 +58217,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_rand" lineno="3854">
+<interface name="dev_write_rand" lineno="3927">
 <summary>
 Write to the random device (e.g., /dev/random). This adds
 entropy used to generate the random data read from the
@@ -58100,7 +58229,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_rand_dev" lineno="3872">
+<interface name="dev_create_rand_dev" lineno="3945">
 <summary>
 Create the random device (/dev/random).
 </summary>
@@ -58110,7 +58239,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_realtime_clock" lineno="3890">
+<interface name="dev_read_realtime_clock" lineno="3963">
 <summary>
 Read the realtime clock (/dev/rtc).
 </summary>
@@ -58120,7 +58249,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_realtime_clock" lineno="3908">
+<interface name="dev_write_realtime_clock" lineno="3981">
 <summary>
 Set the realtime clock (/dev/rtc).
 </summary>
@@ -58130,7 +58259,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_realtime_clock" lineno="3928">
+<interface name="dev_rw_realtime_clock" lineno="4001">
 <summary>
 Read and set the realtime clock (/dev/rtc).
 </summary>
@@ -58140,7 +58269,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_scanner_dev" lineno="3943">
+<interface name="dev_getattr_scanner_dev" lineno="4016">
 <summary>
 Get the attributes of the scanner device.
 </summary>
@@ -58150,7 +58279,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_scanner_dev" lineno="3962">
+<interface name="dev_dontaudit_getattr_scanner_dev" lineno="4035">
 <summary>
 Do not audit attempts to get the attributes of
 the scanner device.
@@ -58161,7 +58290,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_scanner_dev" lineno="3980">
+<interface name="dev_setattr_scanner_dev" lineno="4053">
 <summary>
 Set the attributes of the scanner device.
 </summary>
@@ -58171,7 +58300,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_setattr_scanner_dev" lineno="3999">
+<interface name="dev_dontaudit_setattr_scanner_dev" lineno="4072">
 <summary>
 Do not audit attempts to set the attributes of
 the scanner device.
@@ -58182,7 +58311,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_scanner" lineno="4017">
+<interface name="dev_rw_scanner" lineno="4090">
 <summary>
 Read and write the scanner device.
 </summary>
@@ -58192,7 +58321,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_sound_dev" lineno="4035">
+<interface name="dev_getattr_sound_dev" lineno="4108">
 <summary>
 Get the attributes of the sound devices.
 </summary>
@@ -58202,7 +58331,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_sound_dev" lineno="4053">
+<interface name="dev_setattr_sound_dev" lineno="4126">
 <summary>
 Set the attributes of the sound devices.
 </summary>
@@ -58212,7 +58341,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_sound" lineno="4071">
+<interface name="dev_read_sound" lineno="4144">
 <summary>
 Read the sound devices.
 </summary>
@@ -58222,7 +58351,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_sound" lineno="4090">
+<interface name="dev_write_sound" lineno="4163">
 <summary>
 Write the sound devices.
 </summary>
@@ -58232,7 +58361,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_sound_mixer" lineno="4109">
+<interface name="dev_read_sound_mixer" lineno="4182">
 <summary>
 Read the sound mixer devices.
 </summary>
@@ -58242,7 +58371,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_sound_mixer" lineno="4128">
+<interface name="dev_write_sound_mixer" lineno="4201">
 <summary>
 Write the sound mixer devices.
 </summary>
@@ -58252,7 +58381,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_power_mgmt_dev" lineno="4147">
+<interface name="dev_getattr_power_mgmt_dev" lineno="4220">
 <summary>
 Get the attributes of the the power management device.
 </summary>
@@ -58262,7 +58391,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_power_mgmt_dev" lineno="4165">
+<interface name="dev_setattr_power_mgmt_dev" lineno="4238">
 <summary>
 Set the attributes of the the power management device.
 </summary>
@@ -58272,7 +58401,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_power_management" lineno="4183">
+<interface name="dev_rw_power_management" lineno="4256">
 <summary>
 Read and write the the power management device.
 </summary>
@@ -58282,7 +58411,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_smartcard_dev" lineno="4201">
+<interface name="dev_getattr_smartcard_dev" lineno="4274">
 <summary>
 Getattr on smartcard devices
 </summary>
@@ -58292,7 +58421,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_smartcard_dev" lineno="4220">
+<interface name="dev_dontaudit_getattr_smartcard_dev" lineno="4293">
 <summary>
 dontaudit getattr on smartcard devices
 </summary>
@@ -58302,7 +58431,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_smartcard" lineno="4239">
+<interface name="dev_rw_smartcard" lineno="4312">
 <summary>
 Read and write smartcard devices.
 </summary>
@@ -58312,7 +58441,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_smartcard" lineno="4257">
+<interface name="dev_manage_smartcard" lineno="4330">
 <summary>
 Create, read, write, and delete smartcard devices.
 </summary>
@@ -58322,7 +58451,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_sysdig" lineno="4275">
+<interface name="dev_rw_sysdig" lineno="4348">
 <summary>
 Read, write and map the sysdig device.
 </summary>
@@ -58332,7 +58461,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_mounton_sysfs" lineno="4294">
+<interface name="dev_mounton_sysfs" lineno="4367">
 <summary>
 Mount a filesystem on sysfs.  (Deprecated)
 </summary>
@@ -58342,7 +58471,7 @@ Domain allow access.
 </summary>
 </param>
 </interface>
-<interface name="dev_associate_sysfs" lineno="4309">
+<interface name="dev_associate_sysfs" lineno="4382">
 <summary>
 Associate a file to a sysfs filesystem.
 </summary>
@@ -58352,7 +58481,7 @@ The type of the file to be associated to sysfs.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_sysfs_dirs" lineno="4327">
+<interface name="dev_getattr_sysfs_dirs" lineno="4400">
 <summary>
 Get the attributes of sysfs directories.
 </summary>
@@ -58362,7 +58491,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_sysfs" lineno="4345">
+<interface name="dev_getattr_sysfs" lineno="4418">
 <summary>
 Get the attributes of sysfs filesystem
 </summary>
@@ -58372,7 +58501,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_mount_sysfs" lineno="4363">
+<interface name="dev_mount_sysfs" lineno="4436">
 <summary>
 mount a sysfs filesystem
 </summary>
@@ -58382,7 +58511,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_remount_sysfs" lineno="4381">
+<interface name="dev_remount_sysfs" lineno="4454">
 <summary>
 Remount a sysfs filesystem.
 </summary>
@@ -58392,7 +58521,7 @@ Domain allow access.
 </summary>
 </param>
 </interface>
-<interface name="dev_unmount_sysfs" lineno="4399">
+<interface name="dev_unmount_sysfs" lineno="4472">
 <summary>
 unmount a sysfs filesystem
 </summary>
@@ -58402,7 +58531,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_sysfs" lineno="4417">
+<interface name="dev_dontaudit_getattr_sysfs" lineno="4490">
 <summary>
 Do not audit getting the attributes of sysfs filesystem
 </summary>
@@ -58412,7 +58541,7 @@ Domain to dontaudit access from
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_read_sysfs" lineno="4435">
+<interface name="dev_dontaudit_read_sysfs" lineno="4508">
 <summary>
 Dont audit attempts to read hardware state information
 </summary>
@@ -58422,7 +58551,7 @@ Domain for which the attempts do not need to be audited
 </summary>
 </param>
 </interface>
-<interface name="dev_mounton_sysfs_dirs" lineno="4455">
+<interface name="dev_mounton_sysfs_dirs" lineno="4528">
 <summary>
 Mount on sysfs directories.
 </summary>
@@ -58432,7 +58561,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_search_sysfs" lineno="4473">
+<interface name="dev_search_sysfs" lineno="4546">
 <summary>
 Search the sysfs directories.
 </summary>
@@ -58442,7 +58571,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_search_sysfs" lineno="4491">
+<interface name="dev_dontaudit_search_sysfs" lineno="4564">
 <summary>
 Do not audit attempts to search sysfs.
 </summary>
@@ -58452,7 +58581,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_list_sysfs" lineno="4509">
+<interface name="dev_list_sysfs" lineno="4582">
 <summary>
 List the contents of the sysfs directories.
 </summary>
@@ -58462,7 +58591,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_sysfs_dirs" lineno="4528">
+<interface name="dev_write_sysfs_dirs" lineno="4601">
 <summary>
 Write in a sysfs directories.
 </summary>
@@ -58472,7 +58601,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_write_sysfs_dirs" lineno="4546">
+<interface name="dev_dontaudit_write_sysfs_dirs" lineno="4619">
 <summary>
 Do not audit attempts to write in a sysfs directory.
 </summary>
@@ -58482,7 +58611,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_write_sysfs_files" lineno="4564">
+<interface name="dev_dontaudit_write_sysfs_files" lineno="4637">
 <summary>
 Do not audit attempts to write to a sysfs file.
 </summary>
@@ -58492,7 +58621,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_sysfs_dirs" lineno="4583">
+<interface name="dev_manage_sysfs_dirs" lineno="4656">
 <summary>
 Create, read, write, and delete sysfs
 directories.
@@ -58503,7 +58632,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_sysfs" lineno="4610">
+<interface name="dev_read_sysfs" lineno="4683">
 <summary>
 Read hardware state information.
 </summary>
@@ -58522,7 +58651,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="dev_write_sysfs" lineno="4638">
+<interface name="dev_write_sysfs" lineno="4711">
 <summary>
 Write to hardware state information.
 </summary>
@@ -58539,7 +58668,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="dev_rw_sysfs" lineno="4657">
+<interface name="dev_rw_sysfs" lineno="4730">
 <summary>
 Allow caller to modify hardware state information.
 </summary>
@@ -58549,7 +58678,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_sysfs_files" lineno="4678">
+<interface name="dev_create_sysfs_files" lineno="4751">
 <summary>
 Add a sysfs file
 </summary>
@@ -58559,7 +58688,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_relabel_sysfs_dirs" lineno="4696">
+<interface name="dev_relabel_sysfs_dirs" lineno="4769">
 <summary>
 Relabel hardware state directories.
 </summary>
@@ -58569,7 +58698,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_relabel_all_sysfs" lineno="4714">
+<interface name="dev_relabel_all_sysfs" lineno="4787">
 <summary>
 Relabel from/to all sysfs types.
 </summary>
@@ -58579,7 +58708,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_all_sysfs" lineno="4734">
+<interface name="dev_setattr_all_sysfs" lineno="4807">
 <summary>
 Set the attributes of sysfs files, directories and symlinks.
 </summary>
@@ -58589,7 +58718,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_tpm" lineno="4754">
+<interface name="dev_rw_tpm" lineno="4827">
 <summary>
 Read and write the TPM device.
 </summary>
@@ -58599,7 +58728,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_urand" lineno="4795">
+<interface name="dev_read_urand" lineno="4868">
 <summary>
 Read from pseudo random number generator devices (e.g., /dev/urandom).
 </summary>
@@ -58632,7 +58761,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="dev_dontaudit_read_urand" lineno="4814">
+<interface name="dev_dontaudit_read_urand" lineno="4887">
 <summary>
 Do not audit attempts to read from pseudo
 random devices (e.g., /dev/urandom)
@@ -58643,7 +58772,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_urand" lineno="4833">
+<interface name="dev_write_urand" lineno="4906">
 <summary>
 Write to the pseudo random device (e.g., /dev/urandom). This
 sets the random number generator seed.
@@ -58654,7 +58783,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_urand_dev" lineno="4851">
+<interface name="dev_create_urand_dev" lineno="4924">
 <summary>
 Create the urandom device (/dev/urandom).
 </summary>
@@ -58664,7 +58793,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_urand_dev" lineno="4869">
+<interface name="dev_setattr_urand_dev" lineno="4942">
 <summary>
 Set attributes on the urandom device (/dev/urandom).
 </summary>
@@ -58674,7 +58803,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_generic_usb_dev" lineno="4887">
+<interface name="dev_getattr_generic_usb_dev" lineno="4960">
 <summary>
 Getattr generic the USB devices.
 </summary>
@@ -58684,7 +58813,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_generic_usb_dev" lineno="4905">
+<interface name="dev_setattr_generic_usb_dev" lineno="4978">
 <summary>
 Setattr generic the USB devices.
 </summary>
@@ -58694,7 +58823,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_generic_usb_dev" lineno="4923">
+<interface name="dev_read_generic_usb_dev" lineno="4996">
 <summary>
 Read generic the USB devices.
 </summary>
@@ -58704,7 +58833,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_generic_usb_dev" lineno="4941">
+<interface name="dev_rw_generic_usb_dev" lineno="5014">
 <summary>
 Read and write generic the USB devices.
 </summary>
@@ -58714,7 +58843,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_relabel_generic_usb_dev" lineno="4959">
+<interface name="dev_delete_generic_usb_dev" lineno="5032">
+<summary>
+Delete the generic USB devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_relabel_generic_usb_dev" lineno="5050">
 <summary>
 Relabel generic the USB devices.
 </summary>
@@ -58724,7 +58863,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_usbmon_dev" lineno="4977">
+<interface name="dev_read_usbmon_dev" lineno="5068">
 <summary>
 Read USB monitor devices.
 </summary>
@@ -58734,7 +58873,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_usbmon_dev" lineno="4995">
+<interface name="dev_write_usbmon_dev" lineno="5086">
 <summary>
 Write USB monitor devices.
 </summary>
@@ -58744,7 +58883,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_mount_usbfs" lineno="5013">
+<interface name="dev_mount_usbfs" lineno="5104">
 <summary>
 Mount a usbfs filesystem.
 </summary>
@@ -58754,7 +58893,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_associate_usbfs" lineno="5031">
+<interface name="dev_associate_usbfs" lineno="5122">
 <summary>
 Associate a file to a usbfs filesystem.
 </summary>
@@ -58764,7 +58903,7 @@ The type of the file to be associated to usbfs.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_usbfs_dirs" lineno="5049">
+<interface name="dev_getattr_usbfs_dirs" lineno="5140">
 <summary>
 Get the attributes of a directory in the usb filesystem.
 </summary>
@@ -58774,7 +58913,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_usbfs_dirs" lineno="5068">
+<interface name="dev_dontaudit_getattr_usbfs_dirs" lineno="5159">
 <summary>
 Do not audit attempts to get the attributes
 of a directory in the usb filesystem.
@@ -58785,7 +58924,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_search_usbfs" lineno="5086">
+<interface name="dev_search_usbfs" lineno="5177">
 <summary>
 Search the directory containing USB hardware information.
 </summary>
@@ -58795,7 +58934,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_list_usbfs" lineno="5104">
+<interface name="dev_list_usbfs" lineno="5195">
 <summary>
 Allow caller to get a list of usb hardware.
 </summary>
@@ -58805,7 +58944,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_usbfs_files" lineno="5125">
+<interface name="dev_setattr_usbfs_files" lineno="5216">
 <summary>
 Set the attributes of usbfs filesystem.
 </summary>
@@ -58815,7 +58954,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_usbfs" lineno="5145">
+<interface name="dev_read_usbfs" lineno="5236">
 <summary>
 Read USB hardware information using
 the usbfs filesystem interface.
@@ -58826,7 +58965,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_usbfs" lineno="5165">
+<interface name="dev_rw_usbfs" lineno="5256">
 <summary>
 Allow caller to modify usb hardware configuration files.
 </summary>
@@ -58836,7 +58975,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_video_dev" lineno="5185">
+<interface name="dev_getattr_video_dev" lineno="5276">
 <summary>
 Get the attributes of video4linux devices.
 </summary>
@@ -58846,7 +58985,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_userio_dev" lineno="5203">
+<interface name="dev_rw_userio_dev" lineno="5294">
 <summary>
 Read and write userio device.
 </summary>
@@ -58856,7 +58995,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_video_dev" lineno="5222">
+<interface name="dev_dontaudit_getattr_video_dev" lineno="5313">
 <summary>
 Do not audit attempts to get the attributes
 of video4linux device nodes.
@@ -58867,7 +59006,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_video_dev" lineno="5240">
+<interface name="dev_setattr_video_dev" lineno="5331">
 <summary>
 Set the attributes of video4linux device nodes.
 </summary>
@@ -58877,7 +59016,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_setattr_video_dev" lineno="5259">
+<interface name="dev_dontaudit_setattr_video_dev" lineno="5350">
 <summary>
 Do not audit attempts to set the attributes
 of video4linux device nodes.
@@ -58888,7 +59027,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_video_dev" lineno="5277">
+<interface name="dev_read_video_dev" lineno="5368">
 <summary>
 Read the video4linux devices.
 </summary>
@@ -58898,7 +59037,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_video_dev" lineno="5295">
+<interface name="dev_write_video_dev" lineno="5386">
 <summary>
 Write the video4linux devices.
 </summary>
@@ -58908,7 +59047,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_vfio_dev" lineno="5313">
+<interface name="dev_rw_vfio_dev" lineno="5404">
 <summary>
 Read and write vfio devices.
 </summary>
@@ -58918,7 +59057,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_relabelfrom_vfio_dev" lineno="5331">
+<interface name="dev_relabelfrom_vfio_dev" lineno="5422">
 <summary>
 Relabel vfio devices.
 </summary>
@@ -58928,7 +59067,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_vhost" lineno="5349">
+<interface name="dev_rw_vhost" lineno="5440">
 <summary>
 Allow read/write the vhost devices
 </summary>
@@ -58938,7 +59077,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_vmware" lineno="5367">
+<interface name="dev_rw_vmware" lineno="5458">
 <summary>
 Read and write VMWare devices.
 </summary>
@@ -58948,7 +59087,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rwx_vmware" lineno="5385">
+<interface name="dev_rwx_vmware" lineno="5476">
 <summary>
 Read, write, and mmap VMWare devices.
 </summary>
@@ -58958,7 +59097,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_watchdog" lineno="5404">
+<interface name="dev_read_watchdog" lineno="5495">
 <summary>
 Read from watchdog devices.
 </summary>
@@ -58968,7 +59107,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_watchdog" lineno="5422">
+<interface name="dev_write_watchdog" lineno="5513">
 <summary>
 Write to watchdog devices.
 </summary>
@@ -58978,7 +59117,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_wireless" lineno="5440">
+<interface name="dev_read_wireless" lineno="5531">
 <summary>
 Read the wireless device.
 </summary>
@@ -58988,7 +59127,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_wireless" lineno="5458">
+<interface name="dev_rw_wireless" lineno="5549">
 <summary>
 Read and write the the wireless device.
 </summary>
@@ -58998,7 +59137,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_wireless" lineno="5476">
+<interface name="dev_manage_wireless" lineno="5567">
 <summary>
 manage the wireless device.
 </summary>
@@ -59008,7 +59147,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_xen" lineno="5494">
+<interface name="dev_rw_xen" lineno="5585">
 <summary>
 Read and write Xen devices.
 </summary>
@@ -59018,7 +59157,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_xen" lineno="5513">
+<interface name="dev_manage_xen" lineno="5604">
 <summary>
 Create, read, write, and delete Xen devices.
 </summary>
@@ -59028,7 +59167,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_filetrans_xen" lineno="5537">
+<interface name="dev_filetrans_xen" lineno="5628">
 <summary>
 Automatic type transition to the type
 for xen device nodes when created in /dev.
@@ -59044,7 +59183,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_xserver_misc_dev" lineno="5555">
+<interface name="dev_getattr_xserver_misc_dev" lineno="5646">
 <summary>
 Get the attributes of X server miscellaneous devices.
 </summary>
@@ -59054,7 +59193,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_xserver_misc_dev" lineno="5573">
+<interface name="dev_setattr_xserver_misc_dev" lineno="5664">
 <summary>
 Set the attributes of X server miscellaneous devices.
 </summary>
@@ -59064,7 +59203,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_xserver_misc" lineno="5591">
+<interface name="dev_rw_xserver_misc" lineno="5682">
 <summary>
 Read and write X server miscellaneous devices.
 </summary>
@@ -59074,7 +59213,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_map_xserver_misc" lineno="5609">
+<interface name="dev_map_xserver_misc" lineno="5700">
 <summary>
 Map X server miscellaneous devices.
 </summary>
@@ -59084,7 +59223,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_zero" lineno="5627">
+<interface name="dev_rw_zero" lineno="5718">
 <summary>
 Read and write to the zero device (/dev/zero).
 </summary>
@@ -59094,7 +59233,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rwx_zero" lineno="5645">
+<interface name="dev_rwx_zero" lineno="5736">
 <summary>
 Read, write, and execute the zero device (/dev/zero).
 </summary>
@@ -59104,7 +59243,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_execmod_zero" lineno="5664">
+<interface name="dev_execmod_zero" lineno="5755">
 <summary>
 Execmod the zero device (/dev/zero).
 </summary>
@@ -59114,7 +59253,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_zero_dev" lineno="5683">
+<interface name="dev_create_zero_dev" lineno="5774">
 <summary>
 Create the zero device (/dev/zero).
 </summary>
@@ -59124,7 +59263,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_cpu_online" lineno="5706">
+<interface name="dev_read_cpu_online" lineno="5797">
 <summary>
 Read cpu online hardware state information
 </summary>
@@ -59139,7 +59278,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_gpiochip" lineno="5726">
+<interface name="dev_rw_gpiochip" lineno="5817">
 <summary>
 Read and write to the gpiochip device, /dev/gpiochip[0-9]
 </summary>
@@ -59149,7 +59288,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_unconfined" lineno="5744">
+<interface name="dev_unconfined" lineno="5835">
 <summary>
 Unconfined access to devices.
 </summary>
@@ -59159,7 +59298,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_relabel_cpu_online" lineno="5764">
+<interface name="dev_relabel_cpu_online" lineno="5855">
 <summary>
 Relabel cpu online hardware state information.
 </summary>
@@ -59169,7 +59308,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_read_usbmon_dev" lineno="5783">
+<interface name="dev_dontaudit_read_usbmon_dev" lineno="5874">
 <summary>
 Dont audit attempts to read usbmon devices
 </summary>
@@ -61863,7 +62002,18 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_default_files" lineno="2943">
+<interface name="files_dontaudit_execute_default_files" lineno="2943">
+<summary>
+Do not audit attempts to execute files
+with the default file type.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_default_files" lineno="2962">
 <summary>
 Create, read, write, and delete files with
 the default file type.
@@ -61874,7 +62024,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_default_symlinks" lineno="2961">
+<interface name="files_read_default_symlinks" lineno="2980">
 <summary>
 Read symbolic links with the default file type.
 </summary>
@@ -61884,7 +62034,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_default_sockets" lineno="2979">
+<interface name="files_read_default_sockets" lineno="2998">
 <summary>
 Read sockets with the default file type.
 </summary>
@@ -61894,7 +62044,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_default_pipes" lineno="2997">
+<interface name="files_read_default_pipes" lineno="3016">
 <summary>
 Read named pipes with the default file type.
 </summary>
@@ -61904,7 +62054,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_search_etc" lineno="3015">
+<interface name="files_search_etc" lineno="3034">
 <summary>
 Search the contents of /etc directories.
 </summary>
@@ -61914,7 +62064,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_setattr_etc_dirs" lineno="3033">
+<interface name="files_setattr_etc_dirs" lineno="3052">
 <summary>
 Set the attributes of the /etc directories.
 </summary>
@@ -61924,7 +62074,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_list_etc" lineno="3051">
+<interface name="files_list_etc" lineno="3070">
 <summary>
 List the contents of /etc directories.
 </summary>
@@ -61934,7 +62084,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_write_etc_dirs" lineno="3069">
+<interface name="files_dontaudit_write_etc_dirs" lineno="3088">
 <summary>
 Do not audit attempts to write to /etc dirs.
 </summary>
@@ -61944,7 +62094,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_etc_dirs" lineno="3087">
+<interface name="files_rw_etc_dirs" lineno="3106">
 <summary>
 Add and remove entries from /etc directories.
 </summary>
@@ -61954,7 +62104,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_etc_dirs" lineno="3106">
+<interface name="files_manage_etc_dirs" lineno="3125">
 <summary>
 Manage generic directories in /etc
 </summary>
@@ -61965,7 +62115,7 @@ Domain allowed access
 </param>
 
 </interface>
-<interface name="files_relabelto_etc_dirs" lineno="3124">
+<interface name="files_relabelto_etc_dirs" lineno="3143">
 <summary>
 Relabel directories to etc_t.
 </summary>
@@ -61975,7 +62125,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mounton_etc_dirs" lineno="3143">
+<interface name="files_mounton_etc_dirs" lineno="3162">
 <summary>
 Mount a filesystem on the
 etc directories.
@@ -61986,7 +62136,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_remount_etc" lineno="3161">
+<interface name="files_remount_etc" lineno="3180">
 <summary>
 Remount etc filesystems.
 </summary>
@@ -61996,7 +62146,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_watch_etc_dirs" lineno="3179">
+<interface name="files_watch_etc_dirs" lineno="3198">
 <summary>
 Watch /etc directories
 </summary>
@@ -62006,7 +62156,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_etc_files" lineno="3231">
+<interface name="files_read_etc_files" lineno="3250">
 <summary>
 Read generic files in /etc.
 </summary>
@@ -62050,7 +62200,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="files_map_etc_files" lineno="3263">
+<interface name="files_map_etc_files" lineno="3282">
 <summary>
 Map generic files in /etc.
 </summary>
@@ -62072,7 +62222,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="files_dontaudit_write_etc_files" lineno="3281">
+<interface name="files_dontaudit_write_etc_files" lineno="3300">
 <summary>
 Do not audit attempts to write generic files in /etc.
 </summary>
@@ -62082,7 +62232,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_etc_files" lineno="3300">
+<interface name="files_rw_etc_files" lineno="3319">
 <summary>
 Read and write generic files in /etc.
 </summary>
@@ -62093,7 +62243,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_manage_etc_files" lineno="3322">
+<interface name="files_manage_etc_files" lineno="3341">
 <summary>
 Create, read, write, and delete generic
 files in /etc.
@@ -62105,7 +62255,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_dontaudit_manage_etc_files" lineno="3343">
+<interface name="files_dontaudit_manage_etc_files" lineno="3362">
 <summary>
 Do not audit attempts to create, read, write,
 and delete generic files in /etc.
@@ -62117,7 +62267,7 @@ Domain to not audit.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_delete_etc_files" lineno="3361">
+<interface name="files_delete_etc_files" lineno="3380">
 <summary>
 Delete system configuration files in /etc.
 </summary>
@@ -62127,7 +62277,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_exec_etc_files" lineno="3379">
+<interface name="files_exec_etc_files" lineno="3398">
 <summary>
 Execute generic files in /etc.
 </summary>
@@ -62137,7 +62287,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_watch_etc_files" lineno="3399">
+<interface name="files_watch_etc_files" lineno="3418">
 <summary>
 Watch /etc files.
 </summary>
@@ -62147,7 +62297,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_get_etc_unit_status" lineno="3417">
+<interface name="files_get_etc_unit_status" lineno="3436">
 <summary>
 Get etc_t service status.
 </summary>
@@ -62157,7 +62307,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_start_etc_service" lineno="3436">
+<interface name="files_start_etc_service" lineno="3455">
 <summary>
 start etc_t service
 </summary>
@@ -62167,7 +62317,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_stop_etc_service" lineno="3455">
+<interface name="files_stop_etc_service" lineno="3474">
 <summary>
 stop etc_t service
 </summary>
@@ -62177,7 +62327,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_etc_files" lineno="3474">
+<interface name="files_relabel_etc_files" lineno="3493">
 <summary>
 Relabel from and to generic files in /etc.
 </summary>
@@ -62187,7 +62337,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_etc_symlinks" lineno="3493">
+<interface name="files_read_etc_symlinks" lineno="3512">
 <summary>
 Read symbolic links in /etc.
 </summary>
@@ -62197,7 +62347,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_watch_etc_symlinks" lineno="3511">
+<interface name="files_watch_etc_symlinks" lineno="3530">
 <summary>
 Watch /etc symlinks
 </summary>
@@ -62207,7 +62357,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_etc_symlinks" lineno="3529">
+<interface name="files_manage_etc_symlinks" lineno="3548">
 <summary>
 Create, read, write, and delete symbolic links in /etc.
 </summary>
@@ -62217,7 +62367,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_etc_filetrans" lineno="3563">
+<interface name="files_etc_filetrans" lineno="3582">
 <summary>
 Create objects in /etc with a private
 type using a type_transition.
@@ -62243,7 +62393,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_create_boot_flag" lineno="3593">
+<interface name="files_create_boot_flag" lineno="3612">
 <summary>
 Create a boot flag.
 </summary>
@@ -62265,7 +62415,7 @@ The name of the object being created.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_delete_boot_flag" lineno="3619">
+<interface name="files_delete_boot_flag" lineno="3638">
 <summary>
 Delete a boot flag.
 </summary>
@@ -62282,7 +62432,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_getattr_etc_runtime_dirs" lineno="3638">
+<interface name="files_getattr_etc_runtime_dirs" lineno="3657">
 <summary>
 Get the attributes of the
 etc_runtime directories.
@@ -62293,7 +62443,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mounton_etc_runtime_dirs" lineno="3657">
+<interface name="files_mounton_etc_runtime_dirs" lineno="3676">
 <summary>
 Mount a filesystem on the
 etc_runtime directories.
@@ -62304,7 +62454,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabelto_etc_runtime_dirs" lineno="3675">
+<interface name="files_relabelto_etc_runtime_dirs" lineno="3694">
 <summary>
 Relabel to etc_runtime_t dirs.
 </summary>
@@ -62314,7 +62464,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_setattr_etc_runtime_files" lineno="3693">
+<interface name="files_dontaudit_setattr_etc_runtime_files" lineno="3712">
 <summary>
 Do not audit attempts to set the attributes of the etc_runtime files
 </summary>
@@ -62324,7 +62474,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_read_etc_runtime_files" lineno="3731">
+<interface name="files_read_etc_runtime_files" lineno="3750">
 <summary>
 Read files in /etc that are dynamically
 created on boot, such as mtab.
@@ -62354,7 +62504,7 @@ Domain allowed access.
 <infoflow type="read" weight="10" />
 <rolecap/>
 </interface>
-<interface name="files_dontaudit_read_etc_runtime_files" lineno="3753">
+<interface name="files_dontaudit_read_etc_runtime_files" lineno="3772">
 <summary>
 Do not audit attempts to read files
 in /etc that are dynamically
@@ -62366,7 +62516,19 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_read_etc_files" lineno="3772">
+<interface name="files_dontaudit_execuite_etc_runtime_files" lineno="3792">
+<summary>
+Do not audit attempts to execuite files
+in /etc that are dynamically
+created on boot, such as mtab.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_read_etc_files" lineno="3811">
 <summary>
 Do not audit attempts to read files
 in /etc
@@ -62377,7 +62539,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_write_etc_runtime_files" lineno="3791">
+<interface name="files_dontaudit_write_etc_runtime_files" lineno="3830">
 <summary>
 Do not audit attempts to write
 etc runtime files.
@@ -62388,7 +62550,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_etc_runtime_files" lineno="3811">
+<interface name="files_rw_etc_runtime_files" lineno="3850">
 <summary>
 Read and write files in /etc that are dynamically
 created on boot, such as mtab.
@@ -62400,7 +62562,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_manage_etc_runtime_files" lineno="3833">
+<interface name="files_manage_etc_runtime_files" lineno="3872">
 <summary>
 Create, read, write, and delete files in
 /etc that are dynamically created on boot,
@@ -62413,7 +62575,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_relabelto_etc_runtime_files" lineno="3851">
+<interface name="files_relabelto_etc_runtime_files" lineno="3890">
 <summary>
 Relabel to etc_runtime_t files.
 </summary>
@@ -62423,7 +62585,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_etc_filetrans_etc_runtime" lineno="3880">
+<interface name="files_etc_filetrans_etc_runtime" lineno="3919">
 <summary>
 Create, etc runtime objects with an automatic
 type transition.
@@ -62444,7 +62606,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_home_dir" lineno="3899">
+<interface name="files_getattr_home_dir" lineno="3938">
 <summary>
 Get the attributes of the home directories root
 (/home).
@@ -62455,7 +62617,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_home_dir" lineno="3920">
+<interface name="files_dontaudit_getattr_home_dir" lineno="3959">
 <summary>
 Do not audit attempts to get the
 attributes of the home directories root
@@ -62467,7 +62629,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_search_home" lineno="3939">
+<interface name="files_search_home" lineno="3978">
 <summary>
 Search home directories root (/home).
 </summary>
@@ -62477,7 +62639,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_home" lineno="3959">
+<interface name="files_dontaudit_search_home" lineno="3998">
 <summary>
 Do not audit attempts to search
 home directories root (/home).
@@ -62488,7 +62650,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_list_home" lineno="3979">
+<interface name="files_dontaudit_list_home" lineno="4018">
 <summary>
 Do not audit attempts to list
 home directories root (/home).
@@ -62499,7 +62661,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_home" lineno="3998">
+<interface name="files_list_home" lineno="4037">
 <summary>
 Get listing of home directories.
 </summary>
@@ -62509,7 +62671,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabelto_home" lineno="4017">
+<interface name="files_relabelto_home" lineno="4056">
 <summary>
 Relabel to user home root (/home).
 </summary>
@@ -62519,7 +62681,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabelfrom_home" lineno="4035">
+<interface name="files_relabelfrom_home" lineno="4074">
 <summary>
 Relabel from user home root (/home).
 </summary>
@@ -62529,7 +62691,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_watch_home" lineno="4053">
+<interface name="files_watch_home" lineno="4092">
 <summary>
 Watch the user home root (/home).
 </summary>
@@ -62539,7 +62701,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_home_filetrans" lineno="4086">
+<interface name="files_home_filetrans" lineno="4125">
 <summary>
 Create objects in /home.
 </summary>
@@ -62564,7 +62726,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_lost_found_dirs" lineno="4104">
+<interface name="files_getattr_lost_found_dirs" lineno="4143">
 <summary>
 Get the attributes of lost+found directories.
 </summary>
@@ -62574,7 +62736,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_lost_found_dirs" lineno="4123">
+<interface name="files_dontaudit_getattr_lost_found_dirs" lineno="4162">
 <summary>
 Do not audit attempts to get the attributes of
 lost+found directories.
@@ -62585,7 +62747,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_lost_found" lineno="4141">
+<interface name="files_list_lost_found" lineno="4180">
 <summary>
 List the contents of lost+found directories.
 </summary>
@@ -62595,7 +62757,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_lost_found" lineno="4161">
+<interface name="files_manage_lost_found" lineno="4200">
 <summary>
 Create, read, write, and delete objects in
 lost+found directories.
@@ -62607,7 +62769,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_search_mnt" lineno="4183">
+<interface name="files_search_mnt" lineno="4222">
 <summary>
 Search the contents of /mnt.
 </summary>
@@ -62617,7 +62779,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_mnt" lineno="4201">
+<interface name="files_dontaudit_search_mnt" lineno="4240">
 <summary>
 Do not audit attempts to search /mnt.
 </summary>
@@ -62627,7 +62789,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_mnt" lineno="4219">
+<interface name="files_list_mnt" lineno="4258">
 <summary>
 List the contents of /mnt.
 </summary>
@@ -62637,7 +62799,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_list_mnt" lineno="4237">
+<interface name="files_dontaudit_list_mnt" lineno="4276">
 <summary>
 Do not audit attempts to list the contents of /mnt.
 </summary>
@@ -62647,7 +62809,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mounton_mnt" lineno="4255">
+<interface name="files_mounton_mnt" lineno="4294">
 <summary>
 Mount a filesystem on /mnt.
 </summary>
@@ -62657,7 +62819,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_mnt_dirs" lineno="4274">
+<interface name="files_manage_mnt_dirs" lineno="4313">
 <summary>
 Create, read, write, and delete directories in /mnt.
 </summary>
@@ -62668,7 +62830,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_manage_mnt_files" lineno="4292">
+<interface name="files_manage_mnt_files" lineno="4331">
 <summary>
 Create, read, write, and delete files in /mnt.
 </summary>
@@ -62678,7 +62840,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_mnt_files" lineno="4310">
+<interface name="files_read_mnt_files" lineno="4349">
 <summary>
 read files in /mnt.
 </summary>
@@ -62688,7 +62850,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_mnt_symlinks" lineno="4328">
+<interface name="files_read_mnt_symlinks" lineno="4367">
 <summary>
 Read symbolic links in /mnt.
 </summary>
@@ -62698,7 +62860,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_mnt_symlinks" lineno="4346">
+<interface name="files_manage_mnt_symlinks" lineno="4385">
 <summary>
 Create, read, write, and delete symbolic links in /mnt.
 </summary>
@@ -62708,7 +62870,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_search_kernel_modules" lineno="4364">
+<interface name="files_search_kernel_modules" lineno="4403">
 <summary>
 Search the contents of the kernel module directories.
 </summary>
@@ -62718,7 +62880,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_list_kernel_modules" lineno="4383">
+<interface name="files_list_kernel_modules" lineno="4422">
 <summary>
 List the contents of the kernel module directories.
 </summary>
@@ -62728,7 +62890,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_kernel_modules" lineno="4402">
+<interface name="files_getattr_kernel_modules" lineno="4441">
 <summary>
 Get the attributes of kernel module files.
 </summary>
@@ -62738,7 +62900,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_kernel_modules" lineno="4420">
+<interface name="files_read_kernel_modules" lineno="4459">
 <summary>
 Read kernel module files.
 </summary>
@@ -62748,7 +62910,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mmap_read_kernel_modules" lineno="4440">
+<interface name="files_mmap_read_kernel_modules" lineno="4479">
 <summary>
 Read and mmap kernel module files.
 </summary>
@@ -62758,7 +62920,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_write_kernel_modules" lineno="4461">
+<interface name="files_write_kernel_modules" lineno="4500">
 <summary>
 Write kernel module files.
 </summary>
@@ -62768,7 +62930,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_kernel_modules" lineno="4480">
+<interface name="files_delete_kernel_modules" lineno="4519">
 <summary>
 Delete kernel module files.
 </summary>
@@ -62778,7 +62940,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_kernel_modules" lineno="4500">
+<interface name="files_manage_kernel_modules" lineno="4539">
 <summary>
 Create, read, write, and delete
 kernel module files.
@@ -62790,7 +62952,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_relabel_kernel_modules" lineno="4520">
+<interface name="files_relabel_kernel_modules" lineno="4559">
 <summary>
 Relabel from and to kernel module files.
 </summary>
@@ -62800,7 +62962,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mounton_kernel_modules_dirs" lineno="4539">
+<interface name="files_mounton_kernel_modules_dirs" lineno="4578">
 <summary>
 Mount on kernel module directories.
 </summary>
@@ -62810,7 +62972,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_kernel_modules_filetrans" lineno="4573">
+<interface name="files_kernel_modules_filetrans" lineno="4612">
 <summary>
 Create objects in the kernel module directories
 with a private type via an automatic type transition.
@@ -62836,7 +62998,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_load_kernel_modules" lineno="4591">
+<interface name="files_load_kernel_modules" lineno="4630">
 <summary>
 Load kernel module files.
 </summary>
@@ -62846,7 +63008,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_load_kernel_modules" lineno="4610">
+<interface name="files_dontaudit_load_kernel_modules" lineno="4649">
 <summary>
 Load kernel module files.
 </summary>
@@ -62856,7 +63018,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_list_world_readable" lineno="4630">
+<interface name="files_list_world_readable" lineno="4669">
 <summary>
 List world-readable directories.
 </summary>
@@ -62867,7 +63029,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_read_world_readable_files" lineno="4649">
+<interface name="files_read_world_readable_files" lineno="4688">
 <summary>
 Read world-readable files.
 </summary>
@@ -62878,7 +63040,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_read_world_readable_symlinks" lineno="4668">
+<interface name="files_read_world_readable_symlinks" lineno="4707">
 <summary>
 Read world-readable symbolic links.
 </summary>
@@ -62889,7 +63051,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_read_world_readable_pipes" lineno="4686">
+<interface name="files_read_world_readable_pipes" lineno="4725">
 <summary>
 Read world-readable named pipes.
 </summary>
@@ -62899,7 +63061,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_world_readable_sockets" lineno="4704">
+<interface name="files_read_world_readable_sockets" lineno="4743">
 <summary>
 Read world-readable sockets.
 </summary>
@@ -62909,7 +63071,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_associate_tmp" lineno="4724">
+<interface name="files_associate_tmp" lineno="4763">
 <summary>
 Allow the specified type to associate
 to a filesystem with the type of the
@@ -62921,7 +63083,7 @@ Type of the file to associate.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_tmp_dirs" lineno="4742">
+<interface name="files_getattr_tmp_dirs" lineno="4781">
 <summary>
 Get the	attributes of the tmp directory (/tmp).
 </summary>
@@ -62931,7 +63093,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_tmp_dirs" lineno="4761">
+<interface name="files_dontaudit_getattr_tmp_dirs" lineno="4800">
 <summary>
 Do not audit attempts to get the
 attributes of the tmp directory (/tmp).
@@ -62942,7 +63104,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_search_tmp" lineno="4779">
+<interface name="files_search_tmp" lineno="4818">
 <summary>
 Search the tmp directory (/tmp).
 </summary>
@@ -62952,7 +63114,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_tmp" lineno="4797">
+<interface name="files_dontaudit_search_tmp" lineno="4836">
 <summary>
 Do not audit attempts to search the tmp directory (/tmp).
 </summary>
@@ -62962,7 +63124,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_tmp" lineno="4815">
+<interface name="files_list_tmp" lineno="4854">
 <summary>
 Read the tmp directory (/tmp).
 </summary>
@@ -62972,7 +63134,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_list_tmp" lineno="4833">
+<interface name="files_dontaudit_list_tmp" lineno="4872">
 <summary>
 Do not audit listing of the tmp directory (/tmp).
 </summary>
@@ -62982,7 +63144,7 @@ Domain not to audit.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_tmp_dir_entry" lineno="4851">
+<interface name="files_delete_tmp_dir_entry" lineno="4890">
 <summary>
 Remove entries from the tmp directory.
 </summary>
@@ -62992,7 +63154,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_generic_tmp_files" lineno="4869">
+<interface name="files_read_generic_tmp_files" lineno="4908">
 <summary>
 Read files in the tmp directory (/tmp).
 </summary>
@@ -63002,7 +63164,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_generic_tmp_dirs" lineno="4887">
+<interface name="files_manage_generic_tmp_dirs" lineno="4926">
 <summary>
 Manage temporary directories in /tmp.
 </summary>
@@ -63012,7 +63174,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_generic_tmp_dirs" lineno="4905">
+<interface name="files_relabel_generic_tmp_dirs" lineno="4944">
 <summary>
 Relabel temporary directories in /tmp.
 </summary>
@@ -63022,7 +63184,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_generic_tmp_files" lineno="4923">
+<interface name="files_manage_generic_tmp_files" lineno="4962">
 <summary>
 Manage temporary files and directories in /tmp.
 </summary>
@@ -63032,7 +63194,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_generic_tmp_symlinks" lineno="4941">
+<interface name="files_read_generic_tmp_symlinks" lineno="4980">
 <summary>
 Read symbolic links in the tmp directory (/tmp).
 </summary>
@@ -63042,7 +63204,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_generic_tmp_sockets" lineno="4959">
+<interface name="files_rw_generic_tmp_sockets" lineno="4998">
 <summary>
 Read and write generic named sockets in the tmp directory (/tmp).
 </summary>
@@ -63052,7 +63214,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mounton_tmp" lineno="4977">
+<interface name="files_mounton_tmp" lineno="5016">
 <summary>
 Mount filesystems in the tmp directory (/tmp)
 </summary>
@@ -63062,7 +63224,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_setattr_all_tmp_dirs" lineno="4995">
+<interface name="files_setattr_all_tmp_dirs" lineno="5034">
 <summary>
 Set the attributes of all tmp directories.
 </summary>
@@ -63072,7 +63234,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_list_all_tmp" lineno="5013">
+<interface name="files_list_all_tmp" lineno="5052">
 <summary>
 List all tmp directories.
 </summary>
@@ -63082,7 +63244,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_tmp_dirs" lineno="5033">
+<interface name="files_relabel_all_tmp_dirs" lineno="5072">
 <summary>
 Relabel to and from all temporary
 directory types.
@@ -63094,7 +63256,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_dontaudit_getattr_all_tmp_files" lineno="5054">
+<interface name="files_dontaudit_getattr_all_tmp_files" lineno="5093">
 <summary>
 Do not audit attempts to get the attributes
 of all tmp files.
@@ -63105,7 +63267,7 @@ Domain not to audit.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_all_tmp_files" lineno="5073">
+<interface name="files_getattr_all_tmp_files" lineno="5112">
 <summary>
 Allow attempts to get the attributes
 of all tmp files.
@@ -63116,7 +63278,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_tmp_files" lineno="5093">
+<interface name="files_relabel_all_tmp_files" lineno="5132">
 <summary>
 Relabel to and from all temporary
 file types.
@@ -63128,7 +63290,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_dontaudit_getattr_all_tmp_sockets" lineno="5114">
+<interface name="files_dontaudit_getattr_all_tmp_sockets" lineno="5153">
 <summary>
 Do not audit attempts to get the attributes
 of all tmp sock_file.
@@ -63139,7 +63301,7 @@ Domain not to audit.
 </summary>
 </param>
 </interface>
-<interface name="files_read_all_tmp_files" lineno="5132">
+<interface name="files_read_all_tmp_files" lineno="5171">
 <summary>
 Read all tmp files.
 </summary>
@@ -63149,7 +63311,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_tmp_filetrans" lineno="5166">
+<interface name="files_tmp_filetrans" lineno="5205">
 <summary>
 Create an object in the tmp directories, with a private
 type using a type transition.
@@ -63175,7 +63337,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_purge_tmp" lineno="5184">
+<interface name="files_purge_tmp" lineno="5223">
 <summary>
 Delete the contents of /tmp.
 </summary>
@@ -63185,7 +63347,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_all_tmpfs_files" lineno="5207">
+<interface name="files_getattr_all_tmpfs_files" lineno="5246">
 <summary>
 Get the attributes of all tmpfs files.
 </summary>
@@ -63195,7 +63357,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_setattr_usr_dirs" lineno="5226">
+<interface name="files_setattr_usr_dirs" lineno="5265">
 <summary>
 Set the attributes of the /usr directory.
 </summary>
@@ -63205,7 +63367,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_search_usr" lineno="5244">
+<interface name="files_search_usr" lineno="5283">
 <summary>
 Search the content of /usr.
 </summary>
@@ -63215,7 +63377,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_list_usr" lineno="5263">
+<interface name="files_list_usr" lineno="5302">
 <summary>
 List the contents of generic
 directories in /usr.
@@ -63226,7 +63388,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_write_usr_dirs" lineno="5281">
+<interface name="files_dontaudit_write_usr_dirs" lineno="5320">
 <summary>
 Do not audit write of /usr dirs
 </summary>
@@ -63236,7 +63398,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_usr_dirs" lineno="5299">
+<interface name="files_rw_usr_dirs" lineno="5338">
 <summary>
 Add and remove entries from /usr directories.
 </summary>
@@ -63246,7 +63408,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_rw_usr_dirs" lineno="5318">
+<interface name="files_dontaudit_rw_usr_dirs" lineno="5357">
 <summary>
 Do not audit attempts to add and remove
 entries from /usr directories.
@@ -63257,7 +63419,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_usr_dirs" lineno="5336">
+<interface name="files_delete_usr_dirs" lineno="5375">
 <summary>
 Delete generic directories in /usr in the caller domain.
 </summary>
@@ -63267,7 +63429,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_watch_usr_dirs" lineno="5354">
+<interface name="files_watch_usr_dirs" lineno="5393">
 <summary>
 Watch generic directories in /usr.
 </summary>
@@ -63277,7 +63439,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_usr_files" lineno="5372">
+<interface name="files_delete_usr_files" lineno="5411">
 <summary>
 Delete generic files in /usr in the caller domain.
 </summary>
@@ -63287,7 +63449,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_usr_files" lineno="5390">
+<interface name="files_getattr_usr_files" lineno="5429">
 <summary>
 Get the attributes of files in /usr.
 </summary>
@@ -63297,7 +63459,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_map_usr_files" lineno="5409">
+<interface name="files_map_usr_files" lineno="5448">
 <summary>
 Map generic files in /usr.
 </summary>
@@ -63308,7 +63470,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="files_read_usr_files" lineno="5445">
+<interface name="files_read_usr_files" lineno="5484">
 <summary>
 Read generic files in /usr.
 </summary>
@@ -63336,7 +63498,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="files_exec_usr_files" lineno="5465">
+<interface name="files_exec_usr_files" lineno="5504">
 <summary>
 Execute generic programs in /usr in the caller domain.
 </summary>
@@ -63346,7 +63508,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_write_usr_files" lineno="5485">
+<interface name="files_dontaudit_write_usr_files" lineno="5524">
 <summary>
 dontaudit write of /usr files
 </summary>
@@ -63356,7 +63518,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_usr_files" lineno="5503">
+<interface name="files_manage_usr_files" lineno="5542">
 <summary>
 Create, read, write, and delete files in the /usr directory.
 </summary>
@@ -63366,7 +63528,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabelto_usr_files" lineno="5521">
+<interface name="files_relabelto_usr_files" lineno="5560">
 <summary>
 Relabel a file to the type used in /usr.
 </summary>
@@ -63376,7 +63538,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabelfrom_usr_files" lineno="5539">
+<interface name="files_relabelfrom_usr_files" lineno="5578">
 <summary>
 Relabel a file from the type used in /usr.
 </summary>
@@ -63386,7 +63548,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_usr_symlinks" lineno="5557">
+<interface name="files_read_usr_symlinks" lineno="5596">
 <summary>
 Read symbolic links in /usr.
 </summary>
@@ -63396,7 +63558,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_usr_filetrans" lineno="5590">
+<interface name="files_usr_filetrans" lineno="5629">
 <summary>
 Create objects in the /usr directory
 </summary>
@@ -63421,7 +63583,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_search_src" lineno="5608">
+<interface name="files_search_src" lineno="5647">
 <summary>
 Search directories in /usr/src.
 </summary>
@@ -63431,7 +63593,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_src" lineno="5626">
+<interface name="files_dontaudit_search_src" lineno="5665">
 <summary>
 Do not audit attempts to search /usr/src.
 </summary>
@@ -63441,7 +63603,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_usr_src_files" lineno="5644">
+<interface name="files_getattr_usr_src_files" lineno="5683">
 <summary>
 Get the attributes of files in /usr/src.
 </summary>
@@ -63451,7 +63613,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_usr_src_files" lineno="5665">
+<interface name="files_read_usr_src_files" lineno="5704">
 <summary>
 Read files in /usr/src.
 </summary>
@@ -63461,7 +63623,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_exec_usr_src_files" lineno="5686">
+<interface name="files_exec_usr_src_files" lineno="5725">
 <summary>
 Execute programs in /usr/src in the caller domain.
 </summary>
@@ -63471,7 +63633,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_create_kernel_symbol_table" lineno="5706">
+<interface name="files_create_kernel_symbol_table" lineno="5745">
 <summary>
 Install a system.map into the /boot directory.
 </summary>
@@ -63481,7 +63643,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_kernel_symbol_table" lineno="5725">
+<interface name="files_read_kernel_symbol_table" lineno="5764">
 <summary>
 Read system.map in the /boot directory.
 </summary>
@@ -63491,7 +63653,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_kernel_symbol_table" lineno="5744">
+<interface name="files_delete_kernel_symbol_table" lineno="5783">
 <summary>
 Delete a system.map in the /boot directory.
 </summary>
@@ -63501,7 +63663,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mounton_kernel_symbol_table" lineno="5763">
+<interface name="files_mounton_kernel_symbol_table" lineno="5802">
 <summary>
 Mount on a system.map in the /boot directory (for bind mounts).
 </summary>
@@ -63511,7 +63673,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_search_var" lineno="5782">
+<interface name="files_search_var" lineno="5821">
 <summary>
 Search the contents of /var.
 </summary>
@@ -63521,7 +63683,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_write_var_dirs" lineno="5800">
+<interface name="files_dontaudit_write_var_dirs" lineno="5839">
 <summary>
 Do not audit attempts to write to /var.
 </summary>
@@ -63531,7 +63693,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_write_var_dirs" lineno="5818">
+<interface name="files_write_var_dirs" lineno="5857">
 <summary>
 Allow attempts to write to /var.dirs
 </summary>
@@ -63541,7 +63703,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_var" lineno="5837">
+<interface name="files_dontaudit_search_var" lineno="5876">
 <summary>
 Do not audit attempts to search
 the contents of /var.
@@ -63552,7 +63714,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_var" lineno="5855">
+<interface name="files_list_var" lineno="5894">
 <summary>
 List the contents of /var.
 </summary>
@@ -63562,7 +63724,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_list_var" lineno="5874">
+<interface name="files_dontaudit_list_var" lineno="5913">
 <summary>
 Do not audit attempts to list
 the contents of /var.
@@ -63573,7 +63735,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_var_dirs" lineno="5893">
+<interface name="files_manage_var_dirs" lineno="5932">
 <summary>
 Create, read, write, and delete directories
 in the /var directory.
@@ -63584,7 +63746,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_var_dirs" lineno="5911">
+<interface name="files_relabel_var_dirs" lineno="5950">
 <summary>
 relabelto/from var directories
 </summary>
@@ -63594,7 +63756,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_var_files" lineno="5929">
+<interface name="files_read_var_files" lineno="5968">
 <summary>
 Read files in the /var directory.
 </summary>
@@ -63604,7 +63766,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_append_var_files" lineno="5947">
+<interface name="files_append_var_files" lineno="5986">
 <summary>
 Append files in the /var directory.
 </summary>
@@ -63614,7 +63776,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_var_files" lineno="5965">
+<interface name="files_rw_var_files" lineno="6004">
 <summary>
 Read and write files in the /var directory.
 </summary>
@@ -63624,7 +63786,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_rw_var_files" lineno="5984">
+<interface name="files_dontaudit_rw_var_files" lineno="6023">
 <summary>
 Do not audit attempts to read and write
 files in the /var directory.
@@ -63635,7 +63797,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_var_files" lineno="6002">
+<interface name="files_manage_var_files" lineno="6041">
 <summary>
 Create, read, write, and delete files in the /var directory.
 </summary>
@@ -63645,7 +63807,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_var_symlinks" lineno="6020">
+<interface name="files_read_var_symlinks" lineno="6059">
 <summary>
 Read symbolic links in the /var directory.
 </summary>
@@ -63655,7 +63817,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_var_symlinks" lineno="6039">
+<interface name="files_manage_var_symlinks" lineno="6078">
 <summary>
 Create, read, write, and delete symbolic
 links in the /var directory.
@@ -63666,7 +63828,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_var_filetrans" lineno="6072">
+<interface name="files_var_filetrans" lineno="6111">
 <summary>
 Create objects in the /var directory
 </summary>
@@ -63691,7 +63853,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_var_lib_dirs" lineno="6090">
+<interface name="files_getattr_var_lib_dirs" lineno="6129">
 <summary>
 Get the attributes of the /var/lib directory.
 </summary>
@@ -63701,7 +63863,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_search_var_lib" lineno="6122">
+<interface name="files_search_var_lib" lineno="6161">
 <summary>
 Search the /var/lib directory.
 </summary>
@@ -63725,7 +63887,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="5"/>
 </interface>
-<interface name="files_dontaudit_search_var_lib" lineno="6142">
+<interface name="files_dontaudit_search_var_lib" lineno="6181">
 <summary>
 Do not audit attempts to search the
 contents of /var/lib.
@@ -63737,7 +63899,7 @@ Domain to not audit.
 </param>
 <infoflow type="read" weight="5"/>
 </interface>
-<interface name="files_list_var_lib" lineno="6160">
+<interface name="files_list_var_lib" lineno="6199">
 <summary>
 List the contents of the /var/lib directory.
 </summary>
@@ -63747,7 +63909,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_var_lib_dirs" lineno="6178">
+<interface name="files_rw_var_lib_dirs" lineno="6217">
 <summary>
 Read-write /var/lib directories
 </summary>
@@ -63757,7 +63919,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_var_lib_dirs" lineno="6196">
+<interface name="files_manage_var_lib_dirs" lineno="6235">
 <summary>
 manage var_lib_t dirs
 </summary>
@@ -63767,7 +63929,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_var_lib_dirs" lineno="6215">
+<interface name="files_relabel_var_lib_dirs" lineno="6254">
 <summary>
 relabel var_lib_t dirs
 </summary>
@@ -63777,7 +63939,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_var_lib_filetrans" lineno="6249">
+<interface name="files_var_lib_filetrans" lineno="6288">
 <summary>
 Create objects in the /var/lib directory
 </summary>
@@ -63802,7 +63964,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_read_var_lib_files" lineno="6268">
+<interface name="files_read_var_lib_files" lineno="6307">
 <summary>
 Read generic files in /var/lib.
 </summary>
@@ -63812,7 +63974,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_var_lib_symlinks" lineno="6287">
+<interface name="files_read_var_lib_symlinks" lineno="6326">
 <summary>
 Read generic symbolic links in /var/lib
 </summary>
@@ -63822,7 +63984,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_urandom_seed" lineno="6309">
+<interface name="files_manage_urandom_seed" lineno="6348">
 <summary>
 Create, read, write, and delete the
 pseudorandom number generator seed.
@@ -63833,7 +63995,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_mounttab" lineno="6328">
+<interface name="files_manage_mounttab" lineno="6367">
 <summary>
 Allow domain to manage mount tables
 necessary for rpcd, nfsd, etc.
@@ -63844,7 +64006,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_setattr_lock_dirs" lineno="6347">
+<interface name="files_setattr_lock_dirs" lineno="6386">
 <summary>
 Set the attributes of the generic lock directories.
 </summary>
@@ -63854,7 +64016,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_search_locks" lineno="6365">
+<interface name="files_search_locks" lineno="6404">
 <summary>
 Search the locks directory (/var/lock).
 </summary>
@@ -63864,7 +64026,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_locks" lineno="6385">
+<interface name="files_dontaudit_search_locks" lineno="6424">
 <summary>
 Do not audit attempts to search the
 locks directory (/var/lock).
@@ -63875,7 +64037,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_locks" lineno="6404">
+<interface name="files_list_locks" lineno="6443">
 <summary>
 List generic lock directories.
 </summary>
@@ -63885,7 +64047,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_check_write_lock_dirs" lineno="6423">
+<interface name="files_check_write_lock_dirs" lineno="6462">
 <summary>
 Test write access on lock directories.
 </summary>
@@ -63895,7 +64057,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_add_entry_lock_dirs" lineno="6442">
+<interface name="files_add_entry_lock_dirs" lineno="6481">
 <summary>
 Add entries in the /var/lock directories.
 </summary>
@@ -63905,7 +64067,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_lock_dirs" lineno="6462">
+<interface name="files_rw_lock_dirs" lineno="6501">
 <summary>
 Add and remove entries in the /var/lock
 directories.
@@ -63916,7 +64078,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_create_lock_dirs" lineno="6481">
+<interface name="files_create_lock_dirs" lineno="6520">
 <summary>
 Create lock directories
 </summary>
@@ -63926,7 +64088,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_lock_dirs" lineno="6502">
+<interface name="files_relabel_all_lock_dirs" lineno="6541">
 <summary>
 Relabel to and from all lock directory types.
 </summary>
@@ -63937,7 +64099,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_getattr_generic_locks" lineno="6523">
+<interface name="files_getattr_generic_locks" lineno="6562">
 <summary>
 Get the attributes of generic lock files.
 </summary>
@@ -63947,7 +64109,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_generic_locks" lineno="6544">
+<interface name="files_delete_generic_locks" lineno="6583">
 <summary>
 Delete generic lock files.
 </summary>
@@ -63957,7 +64119,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_generic_locks" lineno="6565">
+<interface name="files_manage_generic_locks" lineno="6604">
 <summary>
 Create, read, write, and delete generic
 lock files.
@@ -63968,7 +64130,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_all_locks" lineno="6587">
+<interface name="files_delete_all_locks" lineno="6626">
 <summary>
 Delete all lock files.
 </summary>
@@ -63979,7 +64141,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_read_all_locks" lineno="6608">
+<interface name="files_read_all_locks" lineno="6647">
 <summary>
 Read all lock files.
 </summary>
@@ -63989,7 +64151,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_all_locks" lineno="6631">
+<interface name="files_manage_all_locks" lineno="6670">
 <summary>
 manage all lock files.
 </summary>
@@ -63999,7 +64161,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_locks" lineno="6654">
+<interface name="files_relabel_all_locks" lineno="6693">
 <summary>
 Relabel from/to all lock files.
 </summary>
@@ -64009,7 +64171,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_lock_filetrans" lineno="6693">
+<interface name="files_lock_filetrans" lineno="6732">
 <summary>
 Create an object in the locks directory, with a private
 type using a type transition.
@@ -64035,7 +64197,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_runtime_dirs" lineno="6714">
+<interface name="files_dontaudit_getattr_runtime_dirs" lineno="6753">
 <summary>
 Do not audit attempts to get the attributes
 of the /var/run directory.
@@ -64046,7 +64208,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_mounton_runtime_dirs" lineno="6733">
+<interface name="files_mounton_runtime_dirs" lineno="6772">
 <summary>
 mounton a /var/run directory.
 </summary>
@@ -64056,7 +64218,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_setattr_runtime_dirs" lineno="6751">
+<interface name="files_setattr_runtime_dirs" lineno="6790">
 <summary>
 Set the attributes of the /var/run directory.
 </summary>
@@ -64066,7 +64228,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_search_runtime" lineno="6771">
+<interface name="files_search_runtime" lineno="6810">
 <summary>
 Search the contents of runtime process
 ID directories (/var/run).
@@ -64077,7 +64239,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_runtime" lineno="6791">
+<interface name="files_dontaudit_search_runtime" lineno="6830">
 <summary>
 Do not audit attempts to search
 the /var/run directory.
@@ -64088,7 +64250,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_runtime" lineno="6811">
+<interface name="files_list_runtime" lineno="6850">
 <summary>
 List the contents of the runtime process
 ID directories (/var/run).
@@ -64099,7 +64261,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_check_write_runtime_dirs" lineno="6830">
+<interface name="files_check_write_runtime_dirs" lineno="6869">
 <summary>
 Check write access on /var/run directories.
 </summary>
@@ -64109,7 +64271,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_create_runtime_dirs" lineno="6848">
+<interface name="files_create_runtime_dirs" lineno="6887">
 <summary>
 Create a /var/run directory.
 </summary>
@@ -64119,7 +64281,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_runtime_dirs" lineno="6866">
+<interface name="files_rw_runtime_dirs" lineno="6905">
 <summary>
 Read and write a /var/run directory.
 </summary>
@@ -64129,7 +64291,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_watch_runtime_dirs" lineno="6884">
+<interface name="files_watch_var_lib_dirs" lineno="6923">
+<summary>
+Watch /var/lib directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_watch_runtime_dirs" lineno="6941">
 <summary>
 Watch /var/run directories.
 </summary>
@@ -64139,7 +64311,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_runtime_files" lineno="6902">
+<interface name="files_watch_var_dirs" lineno="6959">
+<summary>
+Watch /var directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_read_runtime_files" lineno="6977">
 <summary>
 Read generic runtime files.
 </summary>
@@ -64149,7 +64331,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_exec_runtime" lineno="6922">
+<interface name="files_exec_runtime" lineno="6997">
 <summary>
 Execute generic programs in /var/run in the caller domain.
 </summary>
@@ -64159,7 +64341,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_runtime_files" lineno="6940">
+<interface name="files_dontaudit_exec_runtime" lineno="7015">
+<summary>
+Dontaudit attempt to execute generic programs in /var/run in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_rw_runtime_files" lineno="7033">
 <summary>
 Read and write generic runtime files.
 </summary>
@@ -64169,7 +64361,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_runtime_symlinks" lineno="6960">
+<interface name="files_delete_runtime_symlinks" lineno="7053">
 <summary>
 Delete generic runtime symlinks.
 </summary>
@@ -64179,7 +64371,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_write_runtime_pipes" lineno="6978">
+<interface name="files_write_runtime_pipes" lineno="7071">
 <summary>
 Write named generic runtime pipes.
 </summary>
@@ -64189,7 +64381,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_all_runtime_dirs" lineno="6998">
+<interface name="files_delete_all_runtime_dirs" lineno="7091">
 <summary>
 Delete all runtime dirs.
 </summary>
@@ -64200,7 +64392,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_manage_all_runtime_dirs" lineno="7016">
+<interface name="files_manage_all_runtime_dirs" lineno="7109">
 <summary>
 Create, read, write, and delete all runtime directories.
 </summary>
@@ -64210,7 +64402,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_runtime_dirs" lineno="7034">
+<interface name="files_relabel_all_runtime_dirs" lineno="7127">
 <summary>
 Relabel all runtime directories.
 </summary>
@@ -64220,7 +64412,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_all_runtime_files" lineno="7053">
+<interface name="files_dontaudit_getattr_all_runtime_files" lineno="7146">
 <summary>
 Do not audit attempts to get the attributes of
 all runtime data files.
@@ -64231,7 +64423,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_read_all_runtime_files" lineno="7074">
+<interface name="files_read_all_runtime_files" lineno="7167">
 <summary>
 Read all runtime files.
 </summary>
@@ -64242,7 +64434,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_dontaudit_ioctl_all_runtime_files" lineno="7095">
+<interface name="files_dontaudit_ioctl_all_runtime_files" lineno="7188">
 <summary>
 Do not audit attempts to ioctl all runtime files.
 </summary>
@@ -64252,7 +64444,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_write_all_runtime_files" lineno="7115">
+<interface name="files_dontaudit_write_all_runtime_files" lineno="7208">
 <summary>
 Do not audit attempts to write to all runtime files.
 </summary>
@@ -64262,7 +64454,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_all_runtime_files" lineno="7136">
+<interface name="files_delete_all_runtime_files" lineno="7229">
 <summary>
 Delete all runtime files.
 </summary>
@@ -64273,7 +64465,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_manage_all_runtime_files" lineno="7155">
+<interface name="files_manage_all_runtime_files" lineno="7248">
 <summary>
 Create, read, write and delete all
 var_run (pid) files
@@ -64284,7 +64476,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_runtime_files" lineno="7173">
+<interface name="files_relabel_all_runtime_files" lineno="7266">
 <summary>
 Relabel all runtime files.
 </summary>
@@ -64294,7 +64486,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_all_runtime_symlinks" lineno="7192">
+<interface name="files_delete_all_runtime_symlinks" lineno="7285">
 <summary>
 Delete all runtime symlinks.
 </summary>
@@ -64305,7 +64497,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_manage_all_runtime_symlinks" lineno="7211">
+<interface name="files_manage_all_runtime_symlinks" lineno="7304">
 <summary>
 Create, read, write and delete all
 var_run (pid) symbolic links.
@@ -64316,7 +64508,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_runtime_symlinks" lineno="7229">
+<interface name="files_relabel_all_runtime_symlinks" lineno="7322">
 <summary>
 Relabel all runtime symbolic links.
 </summary>
@@ -64326,7 +64518,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_create_all_runtime_pipes" lineno="7247">
+<interface name="files_create_all_runtime_pipes" lineno="7340">
 <summary>
 Create all runtime named pipes
 </summary>
@@ -64336,7 +64528,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_all_runtime_pipes" lineno="7266">
+<interface name="files_delete_all_runtime_pipes" lineno="7359">
 <summary>
 Delete all runtime named pipes
 </summary>
@@ -64346,7 +64538,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_create_all_runtime_sockets" lineno="7285">
+<interface name="files_create_all_runtime_sockets" lineno="7378">
 <summary>
 Create all runtime sockets.
 </summary>
@@ -64356,7 +64548,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_all_runtime_sockets" lineno="7303">
+<interface name="files_delete_all_runtime_sockets" lineno="7396">
 <summary>
 Delete all runtime sockets.
 </summary>
@@ -64366,7 +64558,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_runtime_sockets" lineno="7321">
+<interface name="files_relabel_all_runtime_sockets" lineno="7414">
 <summary>
 Relabel all runtime named sockets.
 </summary>
@@ -64376,7 +64568,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_runtime_filetrans" lineno="7381">
+<interface name="files_runtime_filetrans" lineno="7474">
 <summary>
 Create an object in the /run directory, with a private type.
 </summary>
@@ -64428,7 +64620,7 @@ The name of the object being created.
 </param>
 <infoflow type="write" weight="10"/>
 </interface>
-<interface name="files_runtime_filetrans_lock_dir" lineno="7406">
+<interface name="files_runtime_filetrans_lock_dir" lineno="7499">
 <summary>
 Create a generic lock directory within the run directories.
 </summary>
@@ -64443,7 +64635,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_create_all_spool_sockets" lineno="7424">
+<interface name="files_create_all_spool_sockets" lineno="7517">
 <summary>
 Create all spool sockets
 </summary>
@@ -64453,7 +64645,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_all_spool_sockets" lineno="7442">
+<interface name="files_delete_all_spool_sockets" lineno="7535">
 <summary>
 Delete all spool sockets
 </summary>
@@ -64463,7 +64655,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mounton_all_poly_members" lineno="7461">
+<interface name="files_mounton_all_poly_members" lineno="7554">
 <summary>
 Mount filesystems on all polyinstantiation
 member directories.
@@ -64474,7 +64666,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_search_spool" lineno="7480">
+<interface name="files_search_spool" lineno="7573">
 <summary>
 Search the contents of generic spool
 directories (/var/spool).
@@ -64485,7 +64677,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_spool" lineno="7499">
+<interface name="files_dontaudit_search_spool" lineno="7592">
 <summary>
 Do not audit attempts to search generic
 spool directories.
@@ -64496,7 +64688,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_spool" lineno="7518">
+<interface name="files_list_spool" lineno="7611">
 <summary>
 List the contents of generic spool
 (/var/spool) directories.
@@ -64507,7 +64699,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_generic_spool_dirs" lineno="7537">
+<interface name="files_manage_generic_spool_dirs" lineno="7630">
 <summary>
 Create, read, write, and delete generic
 spool directories (/var/spool).
@@ -64518,7 +64710,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_generic_spool" lineno="7556">
+<interface name="files_read_generic_spool" lineno="7649">
 <summary>
 Read generic spool files.
 </summary>
@@ -64528,7 +64720,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_generic_spool" lineno="7576">
+<interface name="files_manage_generic_spool" lineno="7669">
 <summary>
 Create, read, write, and delete generic
 spool files.
@@ -64539,7 +64731,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_spool_filetrans" lineno="7612">
+<interface name="files_spool_filetrans" lineno="7705">
 <summary>
 Create objects in the spool directory
 with a private type with a type transition.
@@ -64566,7 +64758,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_polyinstantiate_all" lineno="7632">
+<interface name="files_polyinstantiate_all" lineno="7725">
 <summary>
 Allow access to manage all polyinstantiated
 directories on the system.
@@ -64577,7 +64769,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_unconfined" lineno="7686">
+<interface name="files_unconfined" lineno="7779">
 <summary>
 Unconfined access to files.
 </summary>
@@ -64587,7 +64779,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_etc_runtime_lnk_files" lineno="7708">
+<interface name="files_manage_etc_runtime_lnk_files" lineno="7801">
 <summary>
 Create, read, write, and delete symbolic links in
 /etc that are dynamically created on boot.
@@ -64599,7 +64791,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_dontaudit_read_etc_runtime" lineno="7726">
+<interface name="files_dontaudit_read_etc_runtime" lineno="7819">
 <summary>
 Do not audit attempts to read etc_runtime resources
 </summary>
@@ -64609,7 +64801,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_list_src" lineno="7744">
+<interface name="files_list_src" lineno="7837">
 <summary>
 List usr/src files
 </summary>
@@ -64619,7 +64811,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="files_read_src_files" lineno="7762">
+<interface name="files_read_src_files" lineno="7855">
 <summary>
 Read usr/src files
 </summary>
@@ -64629,7 +64821,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="files_manage_src_files" lineno="7780">
+<interface name="files_manage_src_files" lineno="7873">
 <summary>
 Manage /usr/src files
 </summary>
@@ -64639,7 +64831,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="files_lib_filetrans_kernel_modules" lineno="7811">
+<interface name="files_lib_filetrans_kernel_modules" lineno="7904">
 <summary>
 Create a resource in the generic lib location
 with an automatic type transition towards the kernel modules
@@ -64661,7 +64853,7 @@ Optional name of the resource
 </summary>
 </param>
 </interface>
-<interface name="files_read_etc_runtime" lineno="7829">
+<interface name="files_read_etc_runtime" lineno="7922">
 <summary>
 Read etc runtime resources
 </summary>
@@ -64671,7 +64863,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_non_security_file_types" lineno="7851">
+<interface name="files_relabel_all_non_security_file_types" lineno="7944">
 <summary>
 Allow relabel from and to non-security types
 </summary>
@@ -64682,7 +64874,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_manage_all_non_security_file_types" lineno="7881">
+<interface name="files_manage_all_non_security_file_types" lineno="7974">
 <summary>
 Manage non-security-sensitive resource types
 </summary>
@@ -64693,7 +64885,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_relabel_all_pidfiles" lineno="7903">
+<interface name="files_relabel_all_pidfiles" lineno="7996">
 <summary>
 Allow relabeling from and to any pidfile associated type
 </summary>
@@ -65073,7 +65265,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_binfmt_misc_dirs" lineno="616">
+<interface name="fs_getattr_binfmt_misc_fs" lineno="615">
+<summary>
+Get the attributes of binfmt_misc filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_getattr_binfmt_misc_dirs" lineno="634">
 <summary>
 Get the attributes of directories on
 binfmt_misc filesystems.
@@ -65084,7 +65286,18 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_register_binary_executable_type" lineno="652">
+<interface name="fs_check_write_binfmt_misc_dirs" lineno="654">
+<summary>
+Check for permissions using access(2) of directories on
+binfmt_misc filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_register_binary_executable_type" lineno="689">
 <summary>
 Register an interpreter for new binary
 file types, using the kernel binfmt_misc
@@ -65111,7 +65324,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_mount_bpf" lineno="672">
+<interface name="fs_mount_bpf" lineno="709">
 <summary>
 Mount a bpf filesystem.
 </summary>
@@ -65121,7 +65334,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_create_bpf_dirs" lineno="690">
+<interface name="fs_create_bpf_dirs" lineno="727">
 <summary>
 Create bpf directories.
 </summary>
@@ -65131,7 +65344,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_bpf_files" lineno="708">
+<interface name="fs_manage_bpf_files" lineno="745">
 <summary>
 Manage bpf files.
 </summary>
@@ -65141,7 +65354,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_cgroup" lineno="726">
+<interface name="fs_manage_bpf_symlinks" lineno="763">
+<summary>
+Manage bpf symlinks.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_mount_cgroup" lineno="781">
 <summary>
 Mount cgroup filesystems.
 </summary>
@@ -65151,7 +65374,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_cgroup" lineno="744">
+<interface name="fs_remount_cgroup" lineno="799">
 <summary>
 Remount cgroup filesystems.
 </summary>
@@ -65161,7 +65384,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_cgroup" lineno="762">
+<interface name="fs_unmount_cgroup" lineno="817">
 <summary>
 Unmount cgroup filesystems.
 </summary>
@@ -65171,7 +65394,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_cgroup" lineno="780">
+<interface name="fs_getattr_cgroup" lineno="835">
 <summary>
 Get attributes of cgroup filesystems.
 </summary>
@@ -65181,7 +65404,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_cgroup_dirs" lineno="798">
+<interface name="fs_search_cgroup_dirs" lineno="853">
 <summary>
 Search cgroup directories.
 </summary>
@@ -65191,7 +65414,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_cgroup_dirs" lineno="817">
+<interface name="fs_list_cgroup_dirs" lineno="872">
 <summary>
 list cgroup directories.
 </summary>
@@ -65201,7 +65424,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_ioctl_cgroup_dirs" lineno="836">
+<interface name="fs_ioctl_cgroup_dirs" lineno="891">
 <summary>
 Ioctl cgroup directories.
 </summary>
@@ -65211,7 +65434,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_create_cgroup_dirs" lineno="855">
+<interface name="fs_create_cgroup_dirs" lineno="910">
 <summary>
 Create cgroup directories.
 </summary>
@@ -65221,7 +65444,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_delete_cgroup_dirs" lineno="874">
+<interface name="fs_delete_cgroup_dirs" lineno="929">
 <summary>
 Delete cgroup directories.
 </summary>
@@ -65231,7 +65454,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_cgroup_dirs" lineno="893">
+<interface name="fs_manage_cgroup_dirs" lineno="948">
 <summary>
 Manage cgroup directories.
 </summary>
@@ -65241,7 +65464,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabel_cgroup_dirs" lineno="913">
+<interface name="fs_relabel_cgroup_dirs" lineno="968">
 <summary>
 Relabel cgroup directories.
 </summary>
@@ -65251,7 +65474,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_cgroup_files" lineno="931">
+<interface name="fs_getattr_cgroup_files" lineno="986">
 <summary>
 Get attributes of cgroup files.
 </summary>
@@ -65261,7 +65484,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_cgroup_files" lineno="951">
+<interface name="fs_read_cgroup_files" lineno="1006">
 <summary>
 Read cgroup files.
 </summary>
@@ -65271,7 +65494,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_create_cgroup_files" lineno="972">
+<interface name="fs_create_cgroup_files" lineno="1027">
 <summary>
 Create cgroup files.
 </summary>
@@ -65281,7 +65504,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_watch_cgroup_files" lineno="992">
+<interface name="fs_watch_cgroup_files" lineno="1047">
 <summary>
 Watch cgroup files.
 </summary>
@@ -65291,7 +65514,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_create_cgroup_links" lineno="1011">
+<interface name="fs_read_cgroup_symlinks" lineno="1066">
+<summary>
+Read cgroup symlnks.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_create_cgroup_links" lineno="1085">
 <summary>
 Create cgroup lnk_files.
 </summary>
@@ -65301,7 +65534,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_write_cgroup_files" lineno="1031">
+<interface name="fs_write_cgroup_files" lineno="1105">
 <summary>
 Write cgroup files.
 </summary>
@@ -65311,7 +65544,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_cgroup_files" lineno="1050">
+<interface name="fs_rw_cgroup_files" lineno="1124">
 <summary>
 Read and write cgroup files.
 </summary>
@@ -65321,7 +65554,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_rw_cgroup_files" lineno="1072">
+<interface name="fs_dontaudit_rw_cgroup_files" lineno="1146">
 <summary>
 Do not audit attempts to open,
 get attributes, read and write
@@ -65333,7 +65566,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_cgroup_files" lineno="1090">
+<interface name="fs_manage_cgroup_files" lineno="1164">
 <summary>
 Manage cgroup files.
 </summary>
@@ -65343,7 +65576,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabel_cgroup_symlinks" lineno="1110">
+<interface name="fs_relabel_cgroup_symlinks" lineno="1184">
 <summary>
 Relabel cgroup symbolic links.
 </summary>
@@ -65353,7 +65586,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_watch_cgroup_dirs" lineno="1128">
+<interface name="fs_watch_cgroup_dirs" lineno="1202">
 <summary>
 Watch cgroup directories.
 </summary>
@@ -65363,7 +65596,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mounton_cgroup" lineno="1146">
+<interface name="fs_mounton_cgroup" lineno="1220">
 <summary>
 Mount on cgroup directories.
 </summary>
@@ -65373,7 +65606,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mounton_cgroup_files" lineno="1164">
+<interface name="fs_mounton_cgroup_files" lineno="1238">
 <summary>
 Mount on cgroup files.
 </summary>
@@ -65383,7 +65616,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_cgroup_filetrans" lineno="1198">
+<interface name="fs_cgroup_filetrans" lineno="1272">
 <summary>
 Create an object in a cgroup tmpfs filesystem, with a private
 type using a type transition.
@@ -65409,7 +65642,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="fs_cgroup_filetrans_memory_pressure" lineno="1229">
+<interface name="fs_cgroup_filetrans_memory_pressure" lineno="1303">
 <summary>
 Create an object in a cgroup tmpfs filesystem, with the memory_pressure_t
 type using a type transition.
@@ -65430,7 +65663,17 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="fs_watch_memory_pressure" lineno="1247">
+<interface name="fs_getattr_memory_pressure" lineno="1321">
+<summary>
+Get the attributes of cgroup's memory.pressure files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_watch_memory_pressure" lineno="1339">
 <summary>
 Allow managing a cgroup's memory.pressure file to get notifications
 </summary>
@@ -65440,7 +65683,7 @@ Source domain
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_list_cifs_dirs" lineno="1266">
+<interface name="fs_dontaudit_list_cifs_dirs" lineno="1358">
 <summary>
 Do not audit attempts to read
 dirs on a CIFS or SMB filesystem.
@@ -65451,7 +65694,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_cifs" lineno="1284">
+<interface name="fs_mount_cifs" lineno="1376">
 <summary>
 Mount a CIFS or SMB network filesystem.
 </summary>
@@ -65461,7 +65704,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_cifs" lineno="1303">
+<interface name="fs_remount_cifs" lineno="1395">
 <summary>
 Remount a CIFS or SMB network filesystem.
 This allows some mount options to be changed.
@@ -65472,7 +65715,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_cifs" lineno="1321">
+<interface name="fs_unmount_cifs" lineno="1413">
 <summary>
 Unmount a CIFS or SMB network filesystem.
 </summary>
@@ -65482,7 +65725,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_cifs" lineno="1341">
+<interface name="fs_getattr_cifs" lineno="1433">
 <summary>
 Get the attributes of a CIFS or
 SMB network filesystem.
@@ -65494,7 +65737,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_search_cifs" lineno="1359">
+<interface name="fs_search_cifs" lineno="1451">
 <summary>
 Search directories on a CIFS or SMB filesystem.
 </summary>
@@ -65504,7 +65747,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_cifs" lineno="1378">
+<interface name="fs_list_cifs" lineno="1470">
 <summary>
 List the contents of directories on a
 CIFS or SMB filesystem.
@@ -65515,7 +65758,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_list_cifs" lineno="1397">
+<interface name="fs_dontaudit_list_cifs" lineno="1489">
 <summary>
 Do not audit attempts to list the contents
 of directories on a CIFS or SMB filesystem.
@@ -65526,7 +65769,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_mounton_cifs" lineno="1415">
+<interface name="fs_mounton_cifs" lineno="1507">
 <summary>
 Mounton a CIFS filesystem.
 </summary>
@@ -65536,7 +65779,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_cifs_files" lineno="1434">
+<interface name="fs_read_cifs_files" lineno="1526">
 <summary>
 Read files on a CIFS or SMB filesystem.
 </summary>
@@ -65547,7 +65790,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_read_all_inherited_image_files" lineno="1454">
+<interface name="fs_read_all_inherited_image_files" lineno="1546">
 <summary>
 Read all inherited filesystem image files.
 </summary>
@@ -65558,7 +65801,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_read_all_image_files" lineno="1473">
+<interface name="fs_read_all_image_files" lineno="1565">
 <summary>
 Read all filesystem image files.
 </summary>
@@ -65569,7 +65812,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_mmap_read_all_image_files" lineno="1492">
+<interface name="fs_mmap_read_all_image_files" lineno="1584">
 <summary>
 Mmap-read all filesystem image files.
 </summary>
@@ -65580,7 +65823,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_rw_all_image_files" lineno="1511">
+<interface name="fs_rw_all_image_files" lineno="1603">
 <summary>
 Read and write all filesystem image files.
 </summary>
@@ -65591,7 +65834,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_mmap_rw_all_image_files" lineno="1530">
+<interface name="fs_mmap_rw_all_image_files" lineno="1622">
 <summary>
 Mmap-Read-write all filesystem image files.
 </summary>
@@ -65602,7 +65845,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_write_all_image_files" lineno="1549">
+<interface name="fs_dontaudit_write_all_image_files" lineno="1641">
 <summary>
 Do not audit attempts to write all filesystem image files.
 </summary>
@@ -65613,7 +65856,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_getattr_noxattr_fs" lineno="1569">
+<interface name="fs_getattr_noxattr_fs" lineno="1661">
 <summary>
 Get the attributes of filesystems that
 do not have extended attribute support.
@@ -65625,7 +65868,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_list_noxattr_fs" lineno="1587">
+<interface name="fs_list_noxattr_fs" lineno="1679">
 <summary>
 Read all noxattrfs directories.
 </summary>
@@ -65635,7 +65878,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_list_noxattr_fs" lineno="1606">
+<interface name="fs_dontaudit_list_noxattr_fs" lineno="1698">
 <summary>
 Do not audit attempts to list all
 noxattrfs directories.
@@ -65646,7 +65889,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_noxattr_fs_dirs" lineno="1624">
+<interface name="fs_manage_noxattr_fs_dirs" lineno="1716">
 <summary>
 Create, read, write, and delete all noxattrfs directories.
 </summary>
@@ -65656,7 +65899,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_noxattr_fs_files" lineno="1642">
+<interface name="fs_read_noxattr_fs_files" lineno="1734">
 <summary>
 Read all noxattrfs files.
 </summary>
@@ -65666,7 +65909,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_read_noxattr_fs_files" lineno="1662">
+<interface name="fs_dontaudit_read_noxattr_fs_files" lineno="1754">
 <summary>
 Do not audit attempts to read all
 noxattrfs files.
@@ -65677,7 +65920,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_write_noxattr_fs_files" lineno="1680">
+<interface name="fs_dontaudit_write_noxattr_fs_files" lineno="1772">
 <summary>
 Dont audit attempts to write to noxattrfs files.
 </summary>
@@ -65687,7 +65930,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_noxattr_fs_files" lineno="1698">
+<interface name="fs_manage_noxattr_fs_files" lineno="1790">
 <summary>
 Create, read, write, and delete all noxattrfs files.
 </summary>
@@ -65697,7 +65940,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_noxattr_fs_symlinks" lineno="1717">
+<interface name="fs_read_noxattr_fs_symlinks" lineno="1809">
 <summary>
 Read all noxattrfs symbolic links.
 </summary>
@@ -65707,7 +65950,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_noxattr_fs_symlinks" lineno="1736">
+<interface name="fs_manage_noxattr_fs_symlinks" lineno="1828">
 <summary>
 Manage all noxattrfs symbolic links.
 </summary>
@@ -65717,7 +65960,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabelfrom_noxattr_fs" lineno="1756">
+<interface name="fs_relabelfrom_noxattr_fs" lineno="1848">
 <summary>
 Relabel all objects from filesystems that
 do not support extended attributes.
@@ -65728,7 +65971,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_read_cifs_files" lineno="1782">
+<interface name="fs_dontaudit_read_cifs_files" lineno="1874">
 <summary>
 Do not audit attempts to read
 files on a CIFS or SMB filesystem.
@@ -65739,7 +65982,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_append_cifs_files" lineno="1802">
+<interface name="fs_append_cifs_files" lineno="1894">
 <summary>
 Append files
 on a CIFS filesystem.
@@ -65751,7 +65994,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_append_cifs_files" lineno="1822">
+<interface name="fs_dontaudit_append_cifs_files" lineno="1914">
 <summary>
 dontaudit Append files
 on a CIFS filesystem.
@@ -65763,7 +66006,7 @@ Domain to not audit.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_rw_cifs_files" lineno="1841">
+<interface name="fs_dontaudit_rw_cifs_files" lineno="1933">
 <summary>
 Do not audit attempts to read or
 write files on a CIFS or SMB filesystem.
@@ -65774,7 +66017,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_cifs_symlinks" lineno="1859">
+<interface name="fs_read_cifs_symlinks" lineno="1951">
 <summary>
 Read symbolic links on a CIFS or SMB filesystem.
 </summary>
@@ -65784,7 +66027,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_cifs_named_pipes" lineno="1879">
+<interface name="fs_read_cifs_named_pipes" lineno="1971">
 <summary>
 Read named pipes
 on a CIFS or SMB network filesystem.
@@ -65795,7 +66038,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_cifs_named_sockets" lineno="1898">
+<interface name="fs_read_cifs_named_sockets" lineno="1990">
 <summary>
 Read named sockets
 on a CIFS or SMB network filesystem.
@@ -65806,7 +66049,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_exec_cifs_files" lineno="1919">
+<interface name="fs_exec_cifs_files" lineno="2011">
 <summary>
 Execute files on a CIFS or SMB
 network filesystem, in the caller
@@ -65819,7 +66062,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_cifs_dirs" lineno="1940">
+<interface name="fs_manage_cifs_dirs" lineno="2032">
 <summary>
 Create, read, write, and delete directories
 on a CIFS or SMB network filesystem.
@@ -65831,7 +66074,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_manage_cifs_dirs" lineno="1960">
+<interface name="fs_dontaudit_manage_cifs_dirs" lineno="2052">
 <summary>
 Do not audit attempts to create, read,
 write, and delete directories
@@ -65843,7 +66086,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_cifs_files" lineno="1980">
+<interface name="fs_manage_cifs_files" lineno="2072">
 <summary>
 Create, read, write, and delete files
 on a CIFS or SMB network filesystem.
@@ -65855,7 +66098,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_manage_cifs_files" lineno="2000">
+<interface name="fs_dontaudit_manage_cifs_files" lineno="2092">
 <summary>
 Do not audit attempts to create, read,
 write, and delete files
@@ -65867,7 +66110,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_cifs_symlinks" lineno="2019">
+<interface name="fs_manage_cifs_symlinks" lineno="2111">
 <summary>
 Create, read, write, and delete symbolic links
 on a CIFS or SMB network filesystem.
@@ -65878,7 +66121,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_cifs_named_pipes" lineno="2038">
+<interface name="fs_manage_cifs_named_pipes" lineno="2130">
 <summary>
 Create, read, write, and delete named pipes
 on a CIFS or SMB network filesystem.
@@ -65889,7 +66132,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_cifs_named_sockets" lineno="2057">
+<interface name="fs_manage_cifs_named_sockets" lineno="2149">
 <summary>
 Create, read, write, and delete named sockets
 on a CIFS or SMB network filesystem.
@@ -65900,7 +66143,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_cifs_domtrans" lineno="2100">
+<interface name="fs_cifs_domtrans" lineno="2192">
 <summary>
 Execute a file on a CIFS or SMB filesystem
 in the specified domain.
@@ -65935,7 +66178,7 @@ The type of the new process.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_configfs_dirs" lineno="2120">
+<interface name="fs_manage_configfs_dirs" lineno="2212">
 <summary>
 Create, read, write, and delete dirs
 on a configfs filesystem.
@@ -65946,7 +66189,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_configfs_files" lineno="2139">
+<interface name="fs_manage_configfs_files" lineno="2231">
 <summary>
 Create, read, write, and delete files
 on a configfs filesystem.
@@ -65957,7 +66200,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_dos_fs" lineno="2158">
+<interface name="fs_mount_dos_fs" lineno="2250">
 <summary>
 Mount a DOS filesystem, such as
 FAT32 or NTFS.
@@ -65968,7 +66211,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_dos_fs" lineno="2178">
+<interface name="fs_remount_dos_fs" lineno="2270">
 <summary>
 Remount a DOS filesystem, such as
 FAT32 or NTFS.  This allows
@@ -65980,7 +66223,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_dos_fs" lineno="2197">
+<interface name="fs_unmount_dos_fs" lineno="2289">
 <summary>
 Unmount a DOS filesystem, such as
 FAT32 or NTFS.
@@ -65991,7 +66234,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_dos_fs" lineno="2217">
+<interface name="fs_getattr_dos_fs" lineno="2309">
 <summary>
 Get the attributes of a DOS
 filesystem, such as FAT32 or NTFS.
@@ -66003,7 +66246,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_relabelfrom_dos_fs" lineno="2236">
+<interface name="fs_relabelfrom_dos_fs" lineno="2328">
 <summary>
 Allow changing of the label of a
 DOS filesystem using the context= mount option.
@@ -66014,7 +66257,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_dos_dirs" lineno="2254">
+<interface name="fs_getattr_dos_dirs" lineno="2346">
 <summary>
 Get attributes of directories on a dosfs filesystem.
 </summary>
@@ -66024,7 +66267,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_dos" lineno="2272">
+<interface name="fs_search_dos" lineno="2364">
 <summary>
 Search dosfs filesystem.
 </summary>
@@ -66034,7 +66277,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_dos" lineno="2290">
+<interface name="fs_list_dos" lineno="2382">
 <summary>
 List dirs DOS filesystem.
 </summary>
@@ -66044,7 +66287,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_dos_dirs" lineno="2309">
+<interface name="fs_manage_dos_dirs" lineno="2401">
 <summary>
 Create, read, write, and delete dirs
 on a DOS filesystem.
@@ -66055,7 +66298,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_dos_files" lineno="2327">
+<interface name="fs_read_dos_files" lineno="2419">
 <summary>
 Read files on a DOS filesystem.
 </summary>
@@ -66065,7 +66308,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mmap_read_dos_files" lineno="2345">
+<interface name="fs_mmap_read_dos_files" lineno="2437">
 <summary>
 Read and map files on a DOS filesystem.
 </summary>
@@ -66075,7 +66318,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_dos_files" lineno="2365">
+<interface name="fs_manage_dos_files" lineno="2457">
 <summary>
 Create, read, write, and delete files
 on a DOS filesystem.
@@ -66086,7 +66329,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_ecryptfs" lineno="2383">
+<interface name="fs_list_ecryptfs" lineno="2475">
 <summary>
 Read symbolic links on an eCryptfs filesystem.
 </summary>
@@ -66096,7 +66339,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_ecryptfs_dirs" lineno="2404">
+<interface name="fs_manage_ecryptfs_dirs" lineno="2496">
 <summary>
 Create, read, write, and delete directories
 on an eCryptfs filesystem.
@@ -66108,7 +66351,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_ecryptfs_files" lineno="2424">
+<interface name="fs_manage_ecryptfs_files" lineno="2516">
 <summary>
 Create, read, write, and delete files
 on an eCryptfs filesystem.
@@ -66120,7 +66363,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_ecryptfs_named_sockets" lineno="2443">
+<interface name="fs_manage_ecryptfs_named_sockets" lineno="2535">
 <summary>
 Create, read, write, and delete named sockets
 on an eCryptfs filesystem.
@@ -66131,7 +66374,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_efivarfs" lineno="2461">
+<interface name="fs_getattr_efivarfs" lineno="2553">
 <summary>
 Get the attributes of efivarfs filesystems.
 </summary>
@@ -66141,7 +66384,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_efivars" lineno="2479">
+<interface name="fs_list_efivars" lineno="2571">
 <summary>
 List dirs in efivarfs filesystem.
 </summary>
@@ -66151,7 +66394,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_efivarfs_files" lineno="2499">
+<interface name="fs_read_efivarfs_files" lineno="2591">
 <summary>
 Read files in efivarfs
 - contains Linux Kernel configuration options for UEFI systems
@@ -66163,7 +66406,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_setattr_efivarfs_files" lineno="2519">
+<interface name="fs_setattr_efivarfs_files" lineno="2611">
 <summary>
 Set the attributes of files in efivarfs
 - contains Linux Kernel configuration options for UEFI systems
@@ -66175,7 +66418,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_efivarfs_files" lineno="2539">
+<interface name="fs_manage_efivarfs_files" lineno="2631">
 <summary>
 Create, read, write, and delete files
 on a efivarfs filesystem.
@@ -66187,7 +66430,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_fusefs" lineno="2557">
+<interface name="fs_getattr_fusefs" lineno="2649">
 <summary>
 stat a FUSE filesystem
 </summary>
@@ -66197,7 +66440,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_fusefs" lineno="2575">
+<interface name="fs_mount_fusefs" lineno="2667">
 <summary>
 Mount a FUSE filesystem.
 </summary>
@@ -66207,7 +66450,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_fusefs" lineno="2593">
+<interface name="fs_unmount_fusefs" lineno="2685">
 <summary>
 Unmount a FUSE filesystem.
 </summary>
@@ -66217,7 +66460,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_fusefs" lineno="2611">
+<interface name="fs_remount_fusefs" lineno="2703">
 <summary>
 Remount a FUSE filesystem.
 </summary>
@@ -66227,7 +66470,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mounton_fusefs" lineno="2629">
+<interface name="fs_mounton_fusefs" lineno="2721">
 <summary>
 Mounton a FUSEFS filesystem.
 </summary>
@@ -66237,7 +66480,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_fusefs_entry_type" lineno="2648">
+<interface name="fs_mounton_fusefs_files" lineno="2739">
+<summary>
+Mount on files on a FUSEFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_fusefs_entry_type" lineno="2758">
 <summary>
 Make FUSEFS files an entrypoint for the
 specified domain.
@@ -66248,7 +66501,7 @@ The domain for which fusefs_t is an entrypoint.
 </summary>
 </param>
 </interface>
-<interface name="fs_fusefs_domtrans" lineno="2681">
+<interface name="fs_fusefs_domtrans" lineno="2791">
 <summary>
 Execute FUSEFS files in a specified domain.
 </summary>
@@ -66273,7 +66526,7 @@ Domain to transition to.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_fusefs" lineno="2701">
+<interface name="fs_search_fusefs" lineno="2811">
 <summary>
 Search directories
 on a FUSEFS filesystem.
@@ -66285,7 +66538,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_list_fusefs" lineno="2721">
+<interface name="fs_list_fusefs" lineno="2831">
 <summary>
 List the contents of directories
 on a FUSEFS filesystem.
@@ -66297,7 +66550,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_list_fusefs" lineno="2740">
+<interface name="fs_dontaudit_list_fusefs" lineno="2850">
 <summary>
 Do not audit attempts to list the contents
 of directories on a FUSEFS filesystem.
@@ -66308,7 +66561,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_setattr_fusefs_dirs" lineno="2760">
+<interface name="fs_setattr_fusefs_dirs" lineno="2870">
 <summary>
 Set the attributes of directories
 on a FUSEFS filesystem.
@@ -66320,7 +66573,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_fusefs_dirs" lineno="2780">
+<interface name="fs_manage_fusefs_dirs" lineno="2890">
 <summary>
 Create, read, write, and delete directories
 on a FUSEFS filesystem.
@@ -66332,7 +66585,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_manage_fusefs_dirs" lineno="2800">
+<interface name="fs_dontaudit_manage_fusefs_dirs" lineno="2910">
 <summary>
 Do not audit attempts to create, read,
 write, and delete directories
@@ -66344,7 +66597,17 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_fusefs_files" lineno="2820">
+<interface name="fs_watch_fusefs_dirs" lineno="2928">
+<summary>
+Watch directories on a FUSEFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_getattr_fusefs_files" lineno="2948">
 <summary>
 Get the attributes of files on a
 FUSEFS filesystem.
@@ -66356,7 +66619,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_read_fusefs_files" lineno="2839">
+<interface name="fs_read_fusefs_files" lineno="2967">
 <summary>
 Read, a FUSEFS filesystem.
 </summary>
@@ -66367,7 +66630,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_exec_fusefs_files" lineno="2858">
+<interface name="fs_exec_fusefs_files" lineno="2986">
 <summary>
 Execute files on a FUSEFS filesystem.
 </summary>
@@ -66378,7 +66641,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_setattr_fusefs_files" lineno="2878">
+<interface name="fs_setattr_fusefs_files" lineno="3006">
 <summary>
 Set the attributes of files on a
 FUSEFS filesystem.
@@ -66390,7 +66653,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_fusefs_files" lineno="2898">
+<interface name="fs_manage_fusefs_files" lineno="3026">
 <summary>
 Create, read, write, and delete files
 on a FUSEFS filesystem.
@@ -66402,7 +66665,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_manage_fusefs_files" lineno="2918">
+<interface name="fs_dontaudit_manage_fusefs_files" lineno="3046">
 <summary>
 Do not audit attempts to create,
 read, write, and delete files
@@ -66414,7 +66677,17 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_fusefs_symlinks" lineno="2938">
+<interface name="fs_watch_fusefs_files" lineno="3064">
+<summary>
+Watch files on a FUSEFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_getattr_fusefs_symlinks" lineno="3084">
 <summary>
 Get the attributes of symlinks
 on a FUSEFS filesystem.
@@ -66426,7 +66699,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_read_fusefs_symlinks" lineno="2956">
+<interface name="fs_read_fusefs_symlinks" lineno="3102">
 <summary>
 Read symbolic links on a FUSEFS filesystem.
 </summary>
@@ -66436,7 +66709,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_setattr_fusefs_symlinks" lineno="2977">
+<interface name="fs_setattr_fusefs_symlinks" lineno="3123">
 <summary>
 Set the attributes of symlinks
 on a FUSEFS filesystem.
@@ -66448,7 +66721,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_fusefs_symlinks" lineno="2996">
+<interface name="fs_manage_fusefs_symlinks" lineno="3142">
 <summary>
 Manage symlinks on a FUSEFS filesystem.
 </summary>
@@ -66459,7 +66732,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_getattr_fusefs_fifo_files" lineno="3016">
+<interface name="fs_getattr_fusefs_fifo_files" lineno="3162">
 <summary>
 Get the attributes of named pipes
 on a FUSEFS filesystem.
@@ -66471,7 +66744,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_setattr_fusefs_fifo_files" lineno="3036">
+<interface name="fs_setattr_fusefs_fifo_files" lineno="3182">
 <summary>
 Set the attributes of named pipes
 on a FUSEFS filesystem.
@@ -66483,7 +66756,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_fusefs_fifo_files" lineno="3056">
+<interface name="fs_manage_fusefs_fifo_files" lineno="3202">
 <summary>
 Manage named pipes on a FUSEFS
 filesystem.
@@ -66495,7 +66768,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_getattr_fusefs_sock_files" lineno="3076">
+<interface name="fs_getattr_fusefs_sock_files" lineno="3222">
 <summary>
 Get the attributes of named sockets
 on a FUSEFS filesystem.
@@ -66507,7 +66780,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_setattr_fusefs_sock_files" lineno="3096">
+<interface name="fs_setattr_fusefs_sock_files" lineno="3242">
 <summary>
 Set the attributes of named sockets
 on a FUSEFS filesystem.
@@ -66519,7 +66792,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_fusefs_sock_files" lineno="3116">
+<interface name="fs_manage_fusefs_sock_files" lineno="3262">
 <summary>
 Manage named sockets on a FUSEFS
 filesystem.
@@ -66531,7 +66804,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_getattr_fusefs_chr_files" lineno="3136">
+<interface name="fs_getattr_fusefs_chr_files" lineno="3282">
 <summary>
 Get the attributes of character files
 on a FUSEFS filesystem.
@@ -66543,7 +66816,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_setattr_fusefs_chr_files" lineno="3156">
+<interface name="fs_setattr_fusefs_chr_files" lineno="3302">
 <summary>
 Set the attributes of character files
 on a FUSEFS filesystem.
@@ -66555,7 +66828,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_fusefs_chr_files" lineno="3176">
+<interface name="fs_manage_fusefs_chr_files" lineno="3322">
 <summary>
 Manage character files on a FUSEFS
 filesystem.
@@ -66567,7 +66840,31 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_getattr_hugetlbfs" lineno="3195">
+<interface name="fs_create_fusefs_blk_files" lineno="3342">
+<summary>
+Create block files on a FUSEFS
+filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_setattr_fusefs_blk_files" lineno="3362">
+<summary>
+Set the attributes of block files on
+a FUSEFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_getattr_hugetlbfs" lineno="3381">
 <summary>
 Get the attributes of an hugetlbfs
 filesystem.
@@ -66578,7 +66875,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_hugetlbfs" lineno="3213">
+<interface name="fs_list_hugetlbfs" lineno="3399">
 <summary>
 List hugetlbfs.
 </summary>
@@ -66588,7 +66885,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_hugetlbfs_dirs" lineno="3231">
+<interface name="fs_manage_hugetlbfs_dirs" lineno="3417">
 <summary>
 Manage hugetlbfs dirs.
 </summary>
@@ -66598,7 +66895,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_inherited_hugetlbfs_files" lineno="3249">
+<interface name="fs_rw_inherited_hugetlbfs_files" lineno="3435">
 <summary>
 Read and write inherited hugetlbfs files.
 </summary>
@@ -66608,7 +66905,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_hugetlbfs_files" lineno="3267">
+<interface name="fs_rw_hugetlbfs_files" lineno="3453">
 <summary>
 Read and write hugetlbfs files.
 </summary>
@@ -66618,7 +66915,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mmap_rw_hugetlbfs_files" lineno="3285">
+<interface name="fs_mmap_rw_hugetlbfs_files" lineno="3471">
 <summary>
 Read, map and write hugetlbfs files.
 </summary>
@@ -66628,7 +66925,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_associate_hugetlbfs" lineno="3304">
+<interface name="fs_associate_hugetlbfs" lineno="3490">
 <summary>
 Allow the type to associate to hugetlbfs filesystems.
 </summary>
@@ -66638,7 +66935,7 @@ The type of the object to be associated.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_inotifyfs" lineno="3322">
+<interface name="fs_search_inotifyfs" lineno="3508">
 <summary>
 Search inotifyfs filesystem.
 </summary>
@@ -66648,7 +66945,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_inotifyfs" lineno="3340">
+<interface name="fs_list_inotifyfs" lineno="3526">
 <summary>
 List inotifyfs filesystem.
 </summary>
@@ -66658,7 +66955,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_list_inotifyfs" lineno="3358">
+<interface name="fs_dontaudit_list_inotifyfs" lineno="3544">
 <summary>
 Dontaudit List inotifyfs filesystem.
 </summary>
@@ -66668,7 +66965,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_hugetlbfs_filetrans" lineno="3392">
+<interface name="fs_hugetlbfs_filetrans" lineno="3578">
 <summary>
 Create an object in a hugetlbfs filesystem, with a private
 type using a type transition.
@@ -66694,7 +66991,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_iso9660_fs" lineno="3412">
+<interface name="fs_mount_iso9660_fs" lineno="3598">
 <summary>
 Mount an iso9660 filesystem, which
 is usually used on CDs.
@@ -66705,7 +67002,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_iso9660_fs" lineno="3432">
+<interface name="fs_remount_iso9660_fs" lineno="3618">
 <summary>
 Remount an iso9660 filesystem, which
 is usually used on CDs.  This allows
@@ -66717,7 +67014,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabelfrom_iso9660_fs" lineno="3451">
+<interface name="fs_relabelfrom_iso9660_fs" lineno="3637">
 <summary>
 Allow changing of the label of a
 filesystem with iso9660 type
@@ -66728,7 +67025,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_iso9660_fs" lineno="3470">
+<interface name="fs_unmount_iso9660_fs" lineno="3656">
 <summary>
 Unmount an iso9660 filesystem, which
 is usually used on CDs.
@@ -66739,7 +67036,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_iso9660_fs" lineno="3490">
+<interface name="fs_getattr_iso9660_fs" lineno="3676">
 <summary>
 Get the attributes of an iso9660
 filesystem, which is usually used on CDs.
@@ -66751,7 +67048,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_getattr_iso9660_files" lineno="3509">
+<interface name="fs_getattr_iso9660_files" lineno="3695">
 <summary>
 Get the attributes of files on an iso9660
 filesystem, which is usually used on CDs.
@@ -66762,7 +67059,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_iso9660_files" lineno="3529">
+<interface name="fs_read_iso9660_files" lineno="3715">
 <summary>
 Read files on an iso9660 filesystem, which
 is usually used on CDs.
@@ -66773,7 +67070,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_nfs" lineno="3549">
+<interface name="fs_mount_nfs" lineno="3735">
 <summary>
 Mount a NFS filesystem.
 </summary>
@@ -66783,7 +67080,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_nfs" lineno="3568">
+<interface name="fs_remount_nfs" lineno="3754">
 <summary>
 Remount a NFS filesystem.  This allows
 some mount options to be changed.
@@ -66794,7 +67091,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_nfs" lineno="3586">
+<interface name="fs_unmount_nfs" lineno="3772">
 <summary>
 Unmount a NFS filesystem.
 </summary>
@@ -66804,7 +67101,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_nfs" lineno="3605">
+<interface name="fs_getattr_nfs" lineno="3791">
 <summary>
 Get the attributes of a NFS filesystem.
 </summary>
@@ -66815,7 +67112,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_search_nfs" lineno="3623">
+<interface name="fs_search_nfs" lineno="3809">
 <summary>
 Search directories on a NFS filesystem.
 </summary>
@@ -66825,7 +67122,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_nfs" lineno="3641">
+<interface name="fs_list_nfs" lineno="3827">
 <summary>
 List NFS filesystem.
 </summary>
@@ -66835,7 +67132,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_list_nfs" lineno="3660">
+<interface name="fs_dontaudit_list_nfs" lineno="3846">
 <summary>
 Do not audit attempts to list the contents
 of directories on a NFS filesystem.
@@ -66846,7 +67143,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_watch_nfs_dirs" lineno="3679">
+<interface name="fs_watch_nfs_dirs" lineno="3865">
 <summary>
 Add a watch on directories on an NFS
 filesystem.
@@ -66857,7 +67154,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mounton_nfs" lineno="3697">
+<interface name="fs_mounton_nfs" lineno="3883">
 <summary>
 Mounton a NFS filesystem.
 </summary>
@@ -66867,7 +67164,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_nfs_files" lineno="3716">
+<interface name="fs_read_nfs_files" lineno="3902">
 <summary>
 Read files on a NFS filesystem.
 </summary>
@@ -66878,7 +67175,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_read_nfs_files" lineno="3736">
+<interface name="fs_dontaudit_read_nfs_files" lineno="3922">
 <summary>
 Do not audit attempts to read
 files on a NFS filesystem.
@@ -66889,7 +67186,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_write_nfs_files" lineno="3754">
+<interface name="fs_write_nfs_files" lineno="3940">
 <summary>
 Read files on a NFS filesystem.
 </summary>
@@ -66899,7 +67196,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_exec_nfs_files" lineno="3774">
+<interface name="fs_exec_nfs_files" lineno="3960">
 <summary>
 Execute files on a NFS filesystem.
 </summary>
@@ -66910,7 +67207,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_append_nfs_files" lineno="3795">
+<interface name="fs_append_nfs_files" lineno="3981">
 <summary>
 Append files
 on a NFS filesystem.
@@ -66922,7 +67219,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_append_nfs_files" lineno="3815">
+<interface name="fs_dontaudit_append_nfs_files" lineno="4001">
 <summary>
 dontaudit Append files
 on a NFS filesystem.
@@ -66934,7 +67231,7 @@ Domain to not audit.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_rw_nfs_files" lineno="3834">
+<interface name="fs_dontaudit_rw_nfs_files" lineno="4020">
 <summary>
 Do not audit attempts to read or
 write files on a NFS filesystem.
@@ -66945,7 +67242,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_watch_nfs_files" lineno="3852">
+<interface name="fs_watch_nfs_files" lineno="4038">
 <summary>
 Add a watch on files on an NFS filesystem.
 </summary>
@@ -66955,7 +67252,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_nfs_symlinks" lineno="3870">
+<interface name="fs_read_nfs_symlinks" lineno="4056">
 <summary>
 Read symbolic links on a NFS filesystem.
 </summary>
@@ -66965,7 +67262,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_read_nfs_symlinks" lineno="3889">
+<interface name="fs_dontaudit_read_nfs_symlinks" lineno="4075">
 <summary>
 Dontaudit read symbolic links on a NFS filesystem.
 </summary>
@@ -66975,7 +67272,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_nfs_named_sockets" lineno="3907">
+<interface name="fs_read_nfs_named_sockets" lineno="4093">
 <summary>
 Read named sockets on a NFS filesystem.
 </summary>
@@ -66985,7 +67282,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_nfs_named_pipes" lineno="3926">
+<interface name="fs_read_nfs_named_pipes" lineno="4112">
 <summary>
 Read named pipes on a NFS network filesystem.
 </summary>
@@ -66996,7 +67293,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_getattr_rpc_dirs" lineno="3945">
+<interface name="fs_getattr_rpc_dirs" lineno="4131">
 <summary>
 Get the attributes of directories of RPC
 file system pipes.
@@ -67007,7 +67304,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_rpc" lineno="3964">
+<interface name="fs_search_rpc" lineno="4150">
 <summary>
 Search directories of RPC file system pipes.
 </summary>
@@ -67017,7 +67314,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_removable" lineno="3982">
+<interface name="fs_search_removable" lineno="4168">
 <summary>
 Search removable storage directories.
 </summary>
@@ -67027,7 +67324,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_list_removable" lineno="4000">
+<interface name="fs_dontaudit_list_removable" lineno="4186">
 <summary>
 Do not audit attempts to list removable storage directories.
 </summary>
@@ -67037,7 +67334,7 @@ Domain not to audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_removable_files" lineno="4018">
+<interface name="fs_read_removable_files" lineno="4204">
 <summary>
 Read removable storage files.
 </summary>
@@ -67047,7 +67344,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_read_removable_files" lineno="4036">
+<interface name="fs_dontaudit_read_removable_files" lineno="4222">
 <summary>
 Do not audit attempts to read removable storage files.
 </summary>
@@ -67057,7 +67354,7 @@ Domain not to audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_write_removable_files" lineno="4054">
+<interface name="fs_dontaudit_write_removable_files" lineno="4240">
 <summary>
 Do not audit attempts to write removable storage files.
 </summary>
@@ -67067,7 +67364,7 @@ Domain not to audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_removable_symlinks" lineno="4072">
+<interface name="fs_read_removable_symlinks" lineno="4258">
 <summary>
 Read removable storage symbolic links.
 </summary>
@@ -67077,7 +67374,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_removable_blk_files" lineno="4090">
+<interface name="fs_read_removable_blk_files" lineno="4276">
 <summary>
 Read block nodes on removable filesystems.
 </summary>
@@ -67087,7 +67384,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_removable_blk_files" lineno="4109">
+<interface name="fs_rw_removable_blk_files" lineno="4295">
 <summary>
 Read and write block nodes on removable filesystems.
 </summary>
@@ -67097,7 +67394,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_rpc" lineno="4128">
+<interface name="fs_list_rpc" lineno="4314">
 <summary>
 Read directories of RPC file system pipes.
 </summary>
@@ -67107,7 +67404,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_rpc_files" lineno="4146">
+<interface name="fs_read_rpc_files" lineno="4332">
 <summary>
 Read files of RPC file system pipes.
 </summary>
@@ -67117,7 +67414,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_rpc_symlinks" lineno="4164">
+<interface name="fs_read_rpc_symlinks" lineno="4350">
 <summary>
 Read symbolic links of RPC file system pipes.
 </summary>
@@ -67127,7 +67424,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_rpc_sockets" lineno="4182">
+<interface name="fs_read_rpc_sockets" lineno="4368">
 <summary>
 Read sockets of RPC file system pipes.
 </summary>
@@ -67137,7 +67434,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_rpc_sockets" lineno="4200">
+<interface name="fs_rw_rpc_sockets" lineno="4386">
 <summary>
 Read and write sockets of RPC file system pipes.
 </summary>
@@ -67147,7 +67444,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_nfs_dirs" lineno="4220">
+<interface name="fs_manage_nfs_dirs" lineno="4406">
 <summary>
 Create, read, write, and delete directories
 on a NFS filesystem.
@@ -67159,7 +67456,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_manage_nfs_dirs" lineno="4240">
+<interface name="fs_dontaudit_manage_nfs_dirs" lineno="4426">
 <summary>
 Do not audit attempts to create, read,
 write, and delete directories
@@ -67171,7 +67468,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_nfs_files" lineno="4260">
+<interface name="fs_manage_nfs_files" lineno="4446">
 <summary>
 Create, read, write, and delete files
 on a NFS filesystem.
@@ -67183,7 +67480,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_manage_nfs_files" lineno="4280">
+<interface name="fs_dontaudit_manage_nfs_files" lineno="4466">
 <summary>
 Do not audit attempts to create,
 read, write, and delete files
@@ -67195,7 +67492,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_nfs_symlinks" lineno="4300">
+<interface name="fs_manage_nfs_symlinks" lineno="4486">
 <summary>
 Create, read, write, and delete symbolic links
 on a NFS network filesystem.
@@ -67207,7 +67504,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_nfs_named_pipes" lineno="4319">
+<interface name="fs_manage_nfs_named_pipes" lineno="4505">
 <summary>
 Create, read, write, and delete named pipes
 on a NFS filesystem.
@@ -67218,7 +67515,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_nfs_named_sockets" lineno="4338">
+<interface name="fs_manage_nfs_named_sockets" lineno="4524">
 <summary>
 Create, read, write, and delete named sockets
 on a NFS filesystem.
@@ -67229,7 +67526,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_nfs_domtrans" lineno="4381">
+<interface name="fs_nfs_domtrans" lineno="4567">
 <summary>
 Execute a file on a NFS filesystem
 in the specified domain.
@@ -67264,7 +67561,7 @@ The type of the new process.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_nfsd_fs" lineno="4400">
+<interface name="fs_mount_nfsd_fs" lineno="4586">
 <summary>
 Mount a NFS server pseudo filesystem.
 </summary>
@@ -67274,7 +67571,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_nfsd_fs" lineno="4419">
+<interface name="fs_remount_nfsd_fs" lineno="4605">
 <summary>
 Mount a NFS server pseudo filesystem.
 This allows some mount options to be changed.
@@ -67285,7 +67582,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_nfsd_fs" lineno="4437">
+<interface name="fs_unmount_nfsd_fs" lineno="4623">
 <summary>
 Unmount a NFS server pseudo filesystem.
 </summary>
@@ -67295,7 +67592,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_nfsd_fs" lineno="4456">
+<interface name="fs_getattr_nfsd_fs" lineno="4642">
 <summary>
 Get the attributes of a NFS server
 pseudo filesystem.
@@ -67306,7 +67603,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_nfsd_fs" lineno="4474">
+<interface name="fs_search_nfsd_fs" lineno="4660">
 <summary>
 Search NFS server directories.
 </summary>
@@ -67316,7 +67613,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_nfsd_fs" lineno="4492">
+<interface name="fs_list_nfsd_fs" lineno="4678">
 <summary>
 List NFS server directories.
 </summary>
@@ -67326,7 +67623,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_watch_nfsd_dirs" lineno="4510">
+<interface name="fs_watch_nfsd_dirs" lineno="4696">
 <summary>
 Watch NFS server directories.
 </summary>
@@ -67336,7 +67633,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_nfsd_files" lineno="4528">
+<interface name="fs_getattr_nfsd_files" lineno="4714">
 <summary>
 Getattr files on an nfsd filesystem
 </summary>
@@ -67346,7 +67643,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_nfsd_fs" lineno="4546">
+<interface name="fs_rw_nfsd_fs" lineno="4732">
 <summary>
 Read and write NFS server files.
 </summary>
@@ -67356,7 +67653,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_nsfs_files" lineno="4564">
+<interface name="fs_getattr_nsfs_files" lineno="4750">
 <summary>
 Get the attributes of nsfs inodes (e.g. /proc/pid/ns/uts)
 </summary>
@@ -67366,7 +67663,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_nsfs_files" lineno="4582">
+<interface name="fs_read_nsfs_files" lineno="4768">
 <summary>
 Read nsfs inodes (e.g. /proc/pid/ns/uts)
 </summary>
@@ -67376,7 +67673,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_watch_nfsd_files" lineno="4600">
+<interface name="fs_watch_nfsd_files" lineno="4786">
 <summary>
 Watch NFS server files.
 </summary>
@@ -67386,7 +67683,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_nsfs" lineno="4618">
+<interface name="fs_getattr_nsfs" lineno="4804">
 <summary>
 Get the attributes of an nsfs filesystem.
 </summary>
@@ -67396,7 +67693,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_nsfs" lineno="4636">
+<interface name="fs_unmount_nsfs" lineno="4822">
 <summary>
 Unmount an nsfs filesystem.
 </summary>
@@ -67406,7 +67703,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_pstorefs" lineno="4654">
+<interface name="fs_getattr_pstorefs" lineno="4840">
 <summary>
 Get the attributes of a pstore filesystem.
 </summary>
@@ -67416,7 +67713,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_pstore_dirs" lineno="4673">
+<interface name="fs_getattr_pstore_dirs" lineno="4859">
 <summary>
 Get the attributes of directories
 of a pstore filesystem.
@@ -67427,7 +67724,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_create_pstore_dirs" lineno="4692">
+<interface name="fs_create_pstore_dirs" lineno="4878">
 <summary>
 Create pstore directories.
 </summary>
@@ -67437,7 +67734,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabel_pstore_dirs" lineno="4711">
+<interface name="fs_relabel_pstore_dirs" lineno="4897">
 <summary>
 Relabel to/from pstore_t directories.
 </summary>
@@ -67447,7 +67744,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_pstore_dirs" lineno="4730">
+<interface name="fs_list_pstore_dirs" lineno="4916">
 <summary>
 List the directories
 of a pstore filesystem.
@@ -67458,7 +67755,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_pstore_files" lineno="4749">
+<interface name="fs_read_pstore_files" lineno="4935">
 <summary>
 Read pstore_t files
 </summary>
@@ -67468,7 +67765,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_delete_pstore_files" lineno="4768">
+<interface name="fs_delete_pstore_files" lineno="4954">
 <summary>
 Delete the files
 of a pstore filesystem.
@@ -67479,7 +67776,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_associate_ramfs" lineno="4787">
+<interface name="fs_associate_ramfs" lineno="4973">
 <summary>
 Allow the type to associate to ramfs filesystems.
 </summary>
@@ -67489,7 +67786,7 @@ The type of the object to be associated.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_ramfs" lineno="4805">
+<interface name="fs_mount_ramfs" lineno="4991">
 <summary>
 Mount a RAM filesystem.
 </summary>
@@ -67499,7 +67796,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_ramfs" lineno="4824">
+<interface name="fs_remount_ramfs" lineno="5010">
 <summary>
 Remount a RAM filesystem.  This allows
 some mount options to be changed.
@@ -67510,7 +67807,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_ramfs" lineno="4842">
+<interface name="fs_unmount_ramfs" lineno="5028">
 <summary>
 Unmount a RAM filesystem.
 </summary>
@@ -67520,7 +67817,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_ramfs" lineno="4860">
+<interface name="fs_getattr_ramfs" lineno="5046">
 <summary>
 Get the attributes of a RAM filesystem.
 </summary>
@@ -67530,7 +67827,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_ramfs" lineno="4878">
+<interface name="fs_search_ramfs" lineno="5064">
 <summary>
 Search directories on a ramfs
 </summary>
@@ -67540,7 +67837,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_search_ramfs" lineno="4896">
+<interface name="fs_dontaudit_search_ramfs" lineno="5082">
 <summary>
 Dontaudit Search directories on a ramfs
 </summary>
@@ -67550,7 +67847,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_setattr_ramfs_dirs" lineno="4915">
+<interface name="fs_setattr_ramfs_dirs" lineno="5101">
 <summary>
 Set the attributes of directories on
 a ramfs.
@@ -67561,7 +67858,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_ramfs_dirs" lineno="4934">
+<interface name="fs_manage_ramfs_dirs" lineno="5120">
 <summary>
 Create, read, write, and delete
 directories on a ramfs.
@@ -67572,7 +67869,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_read_ramfs_files" lineno="4952">
+<interface name="fs_dontaudit_read_ramfs_files" lineno="5138">
 <summary>
 Dontaudit read on a ramfs files.
 </summary>
@@ -67582,7 +67879,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_read_ramfs_pipes" lineno="4970">
+<interface name="fs_dontaudit_read_ramfs_pipes" lineno="5156">
 <summary>
 Dontaudit read on a ramfs fifo_files.
 </summary>
@@ -67592,7 +67889,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_ramfs_files" lineno="4989">
+<interface name="fs_manage_ramfs_files" lineno="5175">
 <summary>
 Create, read, write, and delete
 files on a ramfs filesystem.
@@ -67603,7 +67900,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_write_ramfs_pipes" lineno="5007">
+<interface name="fs_write_ramfs_pipes" lineno="5193">
 <summary>
 Write to named pipe on a ramfs filesystem.
 </summary>
@@ -67613,7 +67910,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_write_ramfs_pipes" lineno="5026">
+<interface name="fs_dontaudit_write_ramfs_pipes" lineno="5212">
 <summary>
 Do not audit attempts to write to named
 pipes on a ramfs filesystem.
@@ -67624,7 +67921,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_ramfs_pipes" lineno="5044">
+<interface name="fs_rw_ramfs_pipes" lineno="5230">
 <summary>
 Read and write a named pipe on a ramfs filesystem.
 </summary>
@@ -67634,7 +67931,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_ramfs_pipes" lineno="5063">
+<interface name="fs_manage_ramfs_pipes" lineno="5249">
 <summary>
 Create, read, write, and delete
 named pipes on a ramfs filesystem.
@@ -67645,7 +67942,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_write_ramfs_sockets" lineno="5081">
+<interface name="fs_write_ramfs_sockets" lineno="5267">
 <summary>
 Write to named socket on a ramfs filesystem.
 </summary>
@@ -67655,7 +67952,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_ramfs_sockets" lineno="5100">
+<interface name="fs_manage_ramfs_sockets" lineno="5286">
 <summary>
 Create, read, write, and delete
 named sockets on a ramfs filesystem.
@@ -67666,7 +67963,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_romfs" lineno="5118">
+<interface name="fs_mount_romfs" lineno="5304">
 <summary>
 Mount a ROM filesystem.
 </summary>
@@ -67676,7 +67973,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_romfs" lineno="5137">
+<interface name="fs_remount_romfs" lineno="5323">
 <summary>
 Remount a ROM filesystem.  This allows
 some mount options to be changed.
@@ -67687,7 +67984,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_romfs" lineno="5155">
+<interface name="fs_unmount_romfs" lineno="5341">
 <summary>
 Unmount a ROM filesystem.
 </summary>
@@ -67697,7 +67994,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_romfs" lineno="5174">
+<interface name="fs_getattr_romfs" lineno="5360">
 <summary>
 Get the attributes of a ROM
 filesystem.
@@ -67708,7 +68005,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_rpc_pipefs" lineno="5192">
+<interface name="fs_mount_rpc_pipefs" lineno="5378">
 <summary>
 Mount a RPC pipe filesystem.
 </summary>
@@ -67718,7 +68015,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_rpc_pipefs" lineno="5211">
+<interface name="fs_remount_rpc_pipefs" lineno="5397">
 <summary>
 Remount a RPC pipe filesystem.  This
 allows some mount option to be changed.
@@ -67729,7 +68026,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_rpc_pipefs" lineno="5229">
+<interface name="fs_unmount_rpc_pipefs" lineno="5415">
 <summary>
 Unmount a RPC pipe filesystem.
 </summary>
@@ -67739,7 +68036,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_rpc_pipefs" lineno="5248">
+<interface name="fs_getattr_rpc_pipefs" lineno="5434">
 <summary>
 Get the attributes of a RPC pipe
 filesystem.
@@ -67750,7 +68047,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_rpc_named_pipes" lineno="5266">
+<interface name="fs_rw_rpc_named_pipes" lineno="5452">
 <summary>
 Read and write RPC pipe filesystem named pipes.
 </summary>
@@ -67760,7 +68057,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_watch_rpc_pipefs_dirs" lineno="5284">
+<interface name="fs_watch_rpc_pipefs_dirs" lineno="5470">
 <summary>
 Watch RPC pipe filesystem directories.
 </summary>
@@ -67770,7 +68067,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_tmpfs" lineno="5302">
+<interface name="fs_mount_tmpfs" lineno="5488">
 <summary>
 Mount a tmpfs filesystem.
 </summary>
@@ -67780,7 +68077,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_tmpfs" lineno="5320">
+<interface name="fs_remount_tmpfs" lineno="5506">
 <summary>
 Remount a tmpfs filesystem.
 </summary>
@@ -67790,7 +68087,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_tmpfs" lineno="5338">
+<interface name="fs_unmount_tmpfs" lineno="5524">
 <summary>
 Unmount a tmpfs filesystem.
 </summary>
@@ -67800,7 +68097,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_getattr_tmpfs" lineno="5356">
+<interface name="fs_dontaudit_getattr_tmpfs" lineno="5542">
 <summary>
 Do not audit getting the attributes of a tmpfs filesystem
 </summary>
@@ -67810,7 +68107,7 @@ Domain to not audit
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_tmpfs" lineno="5376">
+<interface name="fs_getattr_tmpfs" lineno="5562">
 <summary>
 Get the attributes of a tmpfs
 filesystem.
@@ -67822,7 +68119,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_associate_tmpfs" lineno="5394">
+<interface name="fs_associate_tmpfs" lineno="5580">
 <summary>
 Allow the type to associate to tmpfs filesystems.
 </summary>
@@ -67832,7 +68129,7 @@ The type of the object to be associated.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabelfrom_tmpfs" lineno="5412">
+<interface name="fs_relabelfrom_tmpfs" lineno="5598">
 <summary>
 Relabel from tmpfs filesystem.
 </summary>
@@ -67842,7 +68139,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_tmpfs_dirs" lineno="5430">
+<interface name="fs_getattr_tmpfs_dirs" lineno="5616">
 <summary>
 Get the attributes of tmpfs directories.
 </summary>
@@ -67852,7 +68149,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_getattr_tmpfs_dirs" lineno="5449">
+<interface name="fs_dontaudit_getattr_tmpfs_dirs" lineno="5635">
 <summary>
 Do not audit attempts to get the attributes
 of tmpfs directories.
@@ -67863,7 +68160,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_mounton_tmpfs" lineno="5467">
+<interface name="fs_mounton_tmpfs" lineno="5653">
 <summary>
 Mount on tmpfs directories.
 </summary>
@@ -67873,7 +68170,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mounton_tmpfs_files" lineno="5485">
+<interface name="fs_mounton_tmpfs_files" lineno="5671">
 <summary>
 Mount on tmpfs files.
 </summary>
@@ -67883,7 +68180,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_setattr_tmpfs_dirs" lineno="5503">
+<interface name="fs_setattr_tmpfs_dirs" lineno="5689">
 <summary>
 Set the attributes of tmpfs directories.
 </summary>
@@ -67893,7 +68190,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_tmpfs" lineno="5521">
+<interface name="fs_search_tmpfs" lineno="5707">
 <summary>
 Search tmpfs directories.
 </summary>
@@ -67903,7 +68200,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_tmpfs" lineno="5539">
+<interface name="fs_list_tmpfs" lineno="5725">
 <summary>
 List the contents of generic tmpfs directories.
 </summary>
@@ -67913,7 +68210,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_list_tmpfs" lineno="5558">
+<interface name="fs_dontaudit_list_tmpfs" lineno="5744">
 <summary>
 Do not audit attempts to list the
 contents of generic tmpfs directories.
@@ -67924,7 +68221,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_tmpfs_dirs" lineno="5577">
+<interface name="fs_manage_tmpfs_dirs" lineno="5763">
 <summary>
 Create, read, write, and delete
 tmpfs directories
@@ -67935,7 +68232,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_write_tmpfs_dirs" lineno="5596">
+<interface name="fs_dontaudit_write_tmpfs_dirs" lineno="5782">
 <summary>
 Do not audit attempts to write
 tmpfs directories
@@ -67946,7 +68243,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabelfrom_tmpfs_dirs" lineno="5614">
+<interface name="fs_relabelfrom_tmpfs_dirs" lineno="5800">
 <summary>
 Relabel from tmpfs_t dir
 </summary>
@@ -67956,7 +68253,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabel_tmpfs_dirs" lineno="5632">
+<interface name="fs_relabel_tmpfs_dirs" lineno="5818">
 <summary>
 Relabel directory on tmpfs filesystems.
 </summary>
@@ -67966,7 +68263,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_watch_tmpfs_dirs" lineno="5649">
+<interface name="fs_watch_tmpfs_dirs" lineno="5835">
 <summary>
 Watch directories on tmpfs filesystems.
 </summary>
@@ -67976,7 +68273,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_tmpfs_filetrans" lineno="5683">
+<interface name="fs_tmpfs_filetrans" lineno="5869">
 <summary>
 Create an object in a tmpfs filesystem, with a private
 type using a type transition.
@@ -68002,7 +68299,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_getattr_tmpfs_files" lineno="5703">
+<interface name="fs_dontaudit_getattr_tmpfs_files" lineno="5889">
 <summary>
 Do not audit attempts to getattr
 generic tmpfs files.
@@ -68013,7 +68310,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_rw_tmpfs_files" lineno="5722">
+<interface name="fs_dontaudit_rw_tmpfs_files" lineno="5908">
 <summary>
 Do not audit attempts to read or write
 generic tmpfs files.
@@ -68024,7 +68321,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_delete_tmpfs_symlinks" lineno="5740">
+<interface name="fs_delete_tmpfs_symlinks" lineno="5926">
 <summary>
 Delete tmpfs symbolic links.
 </summary>
@@ -68034,7 +68331,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_auto_mountpoints" lineno="5759">
+<interface name="fs_manage_auto_mountpoints" lineno="5945">
 <summary>
 Create, read, write, and delete
 auto moutpoints.
@@ -68045,7 +68342,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_tmpfs_files" lineno="5777">
+<interface name="fs_read_tmpfs_files" lineno="5963">
 <summary>
 Read generic tmpfs files.
 </summary>
@@ -68055,7 +68352,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_tmpfs_files" lineno="5795">
+<interface name="fs_rw_tmpfs_files" lineno="5981">
 <summary>
 Read and write generic tmpfs files.
 </summary>
@@ -68065,7 +68362,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabel_tmpfs_files" lineno="5813">
+<interface name="fs_relabel_tmpfs_files" lineno="5999">
 <summary>
 Relabel files on tmpfs filesystems.
 </summary>
@@ -68075,7 +68372,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_tmpfs_symlinks" lineno="5831">
+<interface name="fs_read_tmpfs_symlinks" lineno="6017">
 <summary>
 Read tmpfs link files.
 </summary>
@@ -68085,7 +68382,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabelfrom_tmpfs_sockets" lineno="5849">
+<interface name="fs_relabelfrom_tmpfs_sockets" lineno="6035">
 <summary>
 Relabelfrom socket files on tmpfs filesystems.
 </summary>
@@ -68095,7 +68392,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabelfrom_tmpfs_symlinks" lineno="5867">
+<interface name="fs_relabelfrom_tmpfs_symlinks" lineno="6053">
 <summary>
 Relabelfrom tmpfs link files.
 </summary>
@@ -68105,7 +68402,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_tmpfs_chr_files" lineno="5885">
+<interface name="fs_rw_tmpfs_chr_files" lineno="6071">
 <summary>
 Read and write character nodes on tmpfs filesystems.
 </summary>
@@ -68115,7 +68412,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_use_tmpfs_chr_dev" lineno="5904">
+<interface name="fs_dontaudit_use_tmpfs_chr_dev" lineno="6090">
 <summary>
 dontaudit Read and write character nodes on tmpfs filesystems.
 </summary>
@@ -68125,7 +68422,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabel_tmpfs_chr_files" lineno="5923">
+<interface name="fs_relabel_tmpfs_chr_files" lineno="6109">
 <summary>
 Relabel character nodes on tmpfs filesystems.
 </summary>
@@ -68135,7 +68432,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_tmpfs_blk_files" lineno="5942">
+<interface name="fs_rw_tmpfs_blk_files" lineno="6128">
 <summary>
 Read and write block nodes on tmpfs filesystems.
 </summary>
@@ -68145,7 +68442,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabel_tmpfs_blk_files" lineno="5961">
+<interface name="fs_relabel_tmpfs_blk_files" lineno="6147">
 <summary>
 Relabel block nodes on tmpfs filesystems.
 </summary>
@@ -68155,7 +68452,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabel_tmpfs_fifo_files" lineno="5980">
+<interface name="fs_relabel_tmpfs_fifo_files" lineno="6166">
 <summary>
 Relabel named pipes on tmpfs filesystems.
 </summary>
@@ -68165,7 +68462,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_tmpfs_files" lineno="6000">
+<interface name="fs_manage_tmpfs_files" lineno="6186">
 <summary>
 Read and write, create and delete generic
 files on tmpfs filesystems.
@@ -68176,7 +68473,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_tmpfs_symlinks" lineno="6019">
+<interface name="fs_manage_tmpfs_symlinks" lineno="6205">
 <summary>
 Read and write, create and delete symbolic
 links on tmpfs filesystems.
@@ -68187,7 +68484,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_tmpfs_sockets" lineno="6038">
+<interface name="fs_manage_tmpfs_sockets" lineno="6224">
 <summary>
 Read and write, create and delete socket
 files on tmpfs filesystems.
@@ -68198,7 +68495,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_tmpfs_chr_files" lineno="6057">
+<interface name="fs_manage_tmpfs_chr_files" lineno="6243">
 <summary>
 Read and write, create and delete character
 nodes on tmpfs filesystems.
@@ -68209,7 +68506,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_tmpfs_blk_files" lineno="6076">
+<interface name="fs_manage_tmpfs_blk_files" lineno="6262">
 <summary>
 Read and write, create and delete block nodes
 on tmpfs filesystems.
@@ -68220,7 +68517,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_tracefs" lineno="6094">
+<interface name="fs_getattr_tracefs" lineno="6280">
 <summary>
 Get the attributes of a trace filesystem.
 </summary>
@@ -68230,7 +68527,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_tracefs_dirs" lineno="6112">
+<interface name="fs_getattr_tracefs_dirs" lineno="6298">
 <summary>
 Get attributes of dirs on tracefs filesystem.
 </summary>
@@ -68240,7 +68537,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_tracefs" lineno="6130">
+<interface name="fs_search_tracefs" lineno="6316">
 <summary>
 search directories on a tracefs filesystem
 </summary>
@@ -68250,7 +68547,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_tracefs_files" lineno="6149">
+<interface name="fs_getattr_tracefs_files" lineno="6335">
 <summary>
 Get the attributes of files
 on a trace filesystem.
@@ -68261,7 +68558,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_tracefs_files" lineno="6167">
+<interface name="fs_rw_tracefs_files" lineno="6353">
 <summary>
 Read/write trace filesystem files
 </summary>
@@ -68271,7 +68568,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_create_tracefs_dirs" lineno="6186">
+<interface name="fs_create_tracefs_dirs" lineno="6372">
 <summary>
 create trace filesystem directories
 </summary>
@@ -68281,7 +68578,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_xenfs" lineno="6204">
+<interface name="fs_mount_xenfs" lineno="6390">
 <summary>
 Mount a XENFS filesystem.
 </summary>
@@ -68291,7 +68588,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_xenfs" lineno="6222">
+<interface name="fs_search_xenfs" lineno="6408">
 <summary>
 Search the XENFS filesystem.
 </summary>
@@ -68301,7 +68598,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_xenfs_dirs" lineno="6242">
+<interface name="fs_manage_xenfs_dirs" lineno="6428">
 <summary>
 Create, read, write, and delete directories
 on a XENFS filesystem.
@@ -68313,7 +68610,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_manage_xenfs_dirs" lineno="6262">
+<interface name="fs_dontaudit_manage_xenfs_dirs" lineno="6448">
 <summary>
 Do not audit attempts to create, read,
 write, and delete directories
@@ -68325,7 +68622,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_xenfs_files" lineno="6282">
+<interface name="fs_manage_xenfs_files" lineno="6468">
 <summary>
 Create, read, write, and delete files
 on a XENFS filesystem.
@@ -68337,7 +68634,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_mmap_xenfs_files" lineno="6300">
+<interface name="fs_mmap_xenfs_files" lineno="6486">
 <summary>
 Map files a XENFS filesystem.
 </summary>
@@ -68347,7 +68644,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_manage_xenfs_files" lineno="6320">
+<interface name="fs_dontaudit_manage_xenfs_files" lineno="6506">
 <summary>
 Do not audit attempts to create,
 read, write, and delete files
@@ -68359,7 +68656,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_all_fs" lineno="6338">
+<interface name="fs_mount_all_fs" lineno="6524">
 <summary>
 Mount all filesystems.
 </summary>
@@ -68369,7 +68666,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_all_fs" lineno="6357">
+<interface name="fs_remount_all_fs" lineno="6543">
 <summary>
 Remount all filesystems.  This
 allows some mount options to be changed.
@@ -68380,7 +68677,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_all_fs" lineno="6375">
+<interface name="fs_unmount_all_fs" lineno="6561">
 <summary>
 Unmount all filesystems.
 </summary>
@@ -68390,7 +68687,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_all_fs" lineno="6407">
+<interface name="fs_getattr_all_fs" lineno="6593">
 <summary>
 Get the attributes of all filesystems.
 </summary>
@@ -68414,7 +68711,7 @@ Domain allowed access.
 <infoflow type="read" weight="5"/>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_getattr_all_fs" lineno="6427">
+<interface name="fs_dontaudit_getattr_all_fs" lineno="6613">
 <summary>
 Do not audit attempts to get the attributes
 all filesystems.
@@ -68425,7 +68722,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_get_all_fs_quotas" lineno="6446">
+<interface name="fs_get_all_fs_quotas" lineno="6632">
 <summary>
 Get the quotas of all filesystems.
 </summary>
@@ -68436,7 +68733,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_set_all_quotas" lineno="6465">
+<interface name="fs_set_all_quotas" lineno="6651">
 <summary>
 Set the quotas of all filesystems.
 </summary>
@@ -68447,7 +68744,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_relabelfrom_all_fs" lineno="6483">
+<interface name="fs_relabelfrom_all_fs" lineno="6669">
 <summary>
 Relabelfrom all filesystems.
 </summary>
@@ -68457,7 +68754,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_all_dirs" lineno="6502">
+<interface name="fs_getattr_all_dirs" lineno="6688">
 <summary>
 Get the attributes of all directories
 with a filesystem type.
@@ -68468,7 +68765,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_all" lineno="6520">
+<interface name="fs_search_all" lineno="6706">
 <summary>
 Search all directories with a filesystem type.
 </summary>
@@ -68478,7 +68775,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_all" lineno="6538">
+<interface name="fs_list_all" lineno="6724">
 <summary>
 List all directories with a filesystem type.
 </summary>
@@ -68488,7 +68785,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_all_files" lineno="6557">
+<interface name="fs_getattr_all_files" lineno="6743">
 <summary>
 Get the attributes of all files with
 a filesystem type.
@@ -68499,7 +68796,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_getattr_all_files" lineno="6576">
+<interface name="fs_dontaudit_getattr_all_files" lineno="6762">
 <summary>
 Do not audit attempts to get the attributes
 of all files with a filesystem type.
@@ -68510,7 +68807,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_all_symlinks" lineno="6595">
+<interface name="fs_getattr_all_symlinks" lineno="6781">
 <summary>
 Get the attributes of all symbolic links with
 a filesystem type.
@@ -68521,7 +68818,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_getattr_all_symlinks" lineno="6614">
+<interface name="fs_dontaudit_getattr_all_symlinks" lineno="6800">
 <summary>
 Do not audit attempts to get the attributes
 of all symbolic links with a filesystem type.
@@ -68532,7 +68829,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_all_pipes" lineno="6633">
+<interface name="fs_getattr_all_pipes" lineno="6819">
 <summary>
 Get the attributes of all named pipes with
 a filesystem type.
@@ -68543,7 +68840,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_getattr_all_pipes" lineno="6652">
+<interface name="fs_dontaudit_getattr_all_pipes" lineno="6838">
 <summary>
 Do not audit attempts to get the attributes
 of all named pipes with a filesystem type.
@@ -68554,7 +68851,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_all_sockets" lineno="6671">
+<interface name="fs_getattr_all_sockets" lineno="6857">
 <summary>
 Get the attributes of all named sockets with
 a filesystem type.
@@ -68565,7 +68862,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_getattr_all_sockets" lineno="6690">
+<interface name="fs_dontaudit_getattr_all_sockets" lineno="6876">
 <summary>
 Do not audit attempts to get the attributes
 of all named sockets with a filesystem type.
@@ -68576,7 +68873,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_all_blk_files" lineno="6709">
+<interface name="fs_getattr_all_blk_files" lineno="6895">
 <summary>
 Get the attributes of all block device nodes with
 a filesystem type.
@@ -68587,7 +68884,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_all_chr_files" lineno="6728">
+<interface name="fs_getattr_all_chr_files" lineno="6914">
 <summary>
 Get the attributes of all character device nodes with
 a filesystem type.
@@ -68598,7 +68895,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unconfined" lineno="6746">
+<interface name="fs_unconfined" lineno="6932">
 <summary>
 Unconfined access to filesystems
 </summary>
@@ -69746,7 +70043,18 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_read_unix_sysctls" lineno="2032">
+<interface name="kernel_mounton_net_sysctl_dirs" lineno="2031">
+<summary>
+Allow caller to mount on network sysctl directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_read_unix_sysctls" lineno="2051">
 <summary>
 Allow caller to read unix domain
 socket sysctls.
@@ -69758,7 +70066,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_rw_unix_sysctls" lineno="2054">
+<interface name="kernel_rw_unix_sysctls" lineno="2073">
 <summary>
 Read and write unix domain
 socket sysctls.
@@ -69770,7 +70078,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_read_hotplug_sysctls" lineno="2075">
+<interface name="kernel_read_hotplug_sysctls" lineno="2094">
 <summary>
 Read the hotplug sysctl.
 </summary>
@@ -69781,7 +70089,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_rw_hotplug_sysctls" lineno="2096">
+<interface name="kernel_rw_hotplug_sysctls" lineno="2115">
 <summary>
 Read and write the hotplug sysctl.
 </summary>
@@ -69792,7 +70100,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_read_modprobe_sysctls" lineno="2117">
+<interface name="kernel_read_modprobe_sysctls" lineno="2136">
 <summary>
 Read the modprobe sysctl.
 </summary>
@@ -69803,7 +70111,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_rw_modprobe_sysctls" lineno="2138">
+<interface name="kernel_rw_modprobe_sysctls" lineno="2157">
 <summary>
 Read and write the modprobe sysctl.
 </summary>
@@ -69814,7 +70122,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_dontaudit_search_kernel_sysctl" lineno="2158">
+<interface name="kernel_dontaudit_search_kernel_sysctl" lineno="2177">
 <summary>
 Do not audit attempts to search generic kernel sysctls.
 </summary>
@@ -69824,7 +70132,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_read_kernel_sysctl" lineno="2176">
+<interface name="kernel_dontaudit_read_kernel_sysctl" lineno="2195">
 <summary>
 Do not audit attempted reading of kernel sysctls
 </summary>
@@ -69834,7 +70142,18 @@ Domain to not audit accesses from
 </summary>
 </param>
 </interface>
-<interface name="kernel_read_crypto_sysctls" lineno="2194">
+<interface name="kernel_mounton_kernel_sysctl_dirs" lineno="2214">
+<summary>
+Allow caller to mount on kernel sysctl directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_read_crypto_sysctls" lineno="2232">
 <summary>
 Read generic crypto sysctls.
 </summary>
@@ -69844,7 +70163,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_read_kernel_sysctls" lineno="2235">
+<interface name="kernel_read_kernel_sysctls" lineno="2273">
 <summary>
 Read general kernel sysctls.
 </summary>
@@ -69876,7 +70195,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="kernel_dontaudit_write_kernel_sysctl" lineno="2255">
+<interface name="kernel_dontaudit_write_kernel_sysctl" lineno="2293">
 <summary>
 Do not audit attempts to write generic kernel sysctls.
 </summary>
@@ -69886,7 +70205,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_rw_kernel_sysctl" lineno="2274">
+<interface name="kernel_rw_kernel_sysctl" lineno="2312">
 <summary>
 Read and write generic kernel sysctls.
 </summary>
@@ -69897,7 +70216,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_mounton_kernel_sysctl_files" lineno="2295">
+<interface name="kernel_mounton_kernel_sysctl_files" lineno="2333">
 <summary>
 Mount on kernel sysctl files.
 </summary>
@@ -69908,7 +70227,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_read_kernel_ns_lastpid_sysctls" lineno="2315">
+<interface name="kernel_read_kernel_ns_lastpid_sysctls" lineno="2353">
 <summary>
 Read kernel ns lastpid sysctls.
 </summary>
@@ -69919,7 +70238,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_dontaudit_write_kernel_ns_lastpid_sysctl" lineno="2335">
+<interface name="kernel_dontaudit_write_kernel_ns_lastpid_sysctl" lineno="2373">
 <summary>
 Do not audit attempts to write kernel ns lastpid sysctls.
 </summary>
@@ -69929,7 +70248,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_rw_kernel_ns_lastpid_sysctl" lineno="2354">
+<interface name="kernel_rw_kernel_ns_lastpid_sysctl" lineno="2392">
 <summary>
 Read and write kernel ns lastpid sysctls.
 </summary>
@@ -69940,7 +70259,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_search_fs_sysctls" lineno="2375">
+<interface name="kernel_search_fs_sysctls" lineno="2413">
 <summary>
 Search filesystem sysctl directories.
 </summary>
@@ -69951,7 +70270,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_read_fs_sysctls" lineno="2394">
+<interface name="kernel_read_fs_sysctls" lineno="2432">
 <summary>
 Read filesystem sysctls.
 </summary>
@@ -69962,7 +70281,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_rw_fs_sysctls" lineno="2415">
+<interface name="kernel_rw_fs_sysctls" lineno="2453">
 <summary>
 Read and write filesystem sysctls.
 </summary>
@@ -69973,7 +70292,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_read_irq_sysctls" lineno="2436">
+<interface name="kernel_read_irq_sysctls" lineno="2474">
 <summary>
 Read IRQ sysctls.
 </summary>
@@ -69984,7 +70303,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_dontaudit_search_fs_sysctls" lineno="2458">
+<interface name="kernel_dontaudit_search_fs_sysctls" lineno="2496">
 <summary>
 Do not audit attempts to search
 filesystem sysctl directories.
@@ -69996,7 +70315,7 @@ Domain to not audit.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_rw_irq_sysctls" lineno="2477">
+<interface name="kernel_rw_irq_sysctls" lineno="2515">
 <summary>
 Read and write IRQ sysctls.
 </summary>
@@ -70007,7 +70326,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_read_rpc_sysctls" lineno="2498">
+<interface name="kernel_read_rpc_sysctls" lineno="2536">
 <summary>
 Read RPC sysctls.
 </summary>
@@ -70018,7 +70337,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_rw_rpc_sysctls" lineno="2519">
+<interface name="kernel_rw_rpc_sysctls" lineno="2557">
 <summary>
 Read and write RPC sysctls.
 </summary>
@@ -70029,7 +70348,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_dontaudit_list_all_sysctls" lineno="2539">
+<interface name="kernel_dontaudit_list_all_sysctls" lineno="2577">
 <summary>
 Do not audit attempts to list all sysctl directories.
 </summary>
@@ -70039,7 +70358,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_read_all_sysctls" lineno="2559">
+<interface name="kernel_read_all_sysctls" lineno="2597">
 <summary>
 Allow caller to read all sysctls.
 </summary>
@@ -70050,7 +70369,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_rw_all_sysctls" lineno="2582">
+<interface name="kernel_rw_all_sysctls" lineno="2620">
 <summary>
 Read and write all sysctls.
 </summary>
@@ -70061,7 +70380,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_associate_proc" lineno="2607">
+<interface name="kernel_associate_proc" lineno="2645">
 <summary>
 Associate a file to proc_t (/proc)
 </summary>
@@ -70072,7 +70391,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_kill_unlabeled" lineno="2624">
+<interface name="kernel_kill_unlabeled" lineno="2662">
 <summary>
 Send a kill signal to unlabeled processes.
 </summary>
@@ -70082,7 +70401,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_mount_unlabeled" lineno="2642">
+<interface name="kernel_mount_unlabeled" lineno="2680">
 <summary>
 Mount a kernel unlabeled filesystem.
 </summary>
@@ -70092,7 +70411,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_unmount_unlabeled" lineno="2660">
+<interface name="kernel_unmount_unlabeled" lineno="2698">
 <summary>
 Unmount a kernel unlabeled filesystem.
 </summary>
@@ -70102,7 +70421,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_signal_unlabeled" lineno="2678">
+<interface name="kernel_signal_unlabeled" lineno="2716">
 <summary>
 Send general signals to unlabeled processes.
 </summary>
@@ -70112,7 +70431,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_signull_unlabeled" lineno="2696">
+<interface name="kernel_signull_unlabeled" lineno="2734">
 <summary>
 Send a null signal to unlabeled processes.
 </summary>
@@ -70122,7 +70441,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_sigstop_unlabeled" lineno="2714">
+<interface name="kernel_sigstop_unlabeled" lineno="2752">
 <summary>
 Send a stop signal to unlabeled processes.
 </summary>
@@ -70132,7 +70451,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_sigchld_unlabeled" lineno="2732">
+<interface name="kernel_sigchld_unlabeled" lineno="2770">
 <summary>
 Send a child terminated signal to unlabeled processes.
 </summary>
@@ -70142,7 +70461,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_getattr_unlabeled_dirs" lineno="2750">
+<interface name="kernel_getattr_unlabeled_dirs" lineno="2788">
 <summary>
 Get the attributes of unlabeled directories.
 </summary>
@@ -70152,7 +70471,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_search_unlabeled" lineno="2768">
+<interface name="kernel_dontaudit_search_unlabeled" lineno="2806">
 <summary>
 Do not audit attempts to search unlabeled directories.
 </summary>
@@ -70162,7 +70481,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_list_unlabeled" lineno="2786">
+<interface name="kernel_list_unlabeled" lineno="2824">
 <summary>
 List unlabeled directories.
 </summary>
@@ -70172,7 +70491,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_read_unlabeled_state" lineno="2804">
+<interface name="kernel_read_unlabeled_state" lineno="2842">
 <summary>
 Read the process state (/proc/pid) of all unlabeled_t.
 </summary>
@@ -70182,7 +70501,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_list_unlabeled" lineno="2824">
+<interface name="kernel_dontaudit_list_unlabeled" lineno="2862">
 <summary>
 Do not audit attempts to list unlabeled directories.
 </summary>
@@ -70192,7 +70511,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_rw_unlabeled_dirs" lineno="2842">
+<interface name="kernel_rw_unlabeled_dirs" lineno="2880">
 <summary>
 Read and write unlabeled directories.
 </summary>
@@ -70202,7 +70521,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_delete_unlabeled_dirs" lineno="2860">
+<interface name="kernel_delete_unlabeled_dirs" lineno="2898">
 <summary>
 Delete unlabeled directories.
 </summary>
@@ -70212,7 +70531,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_manage_unlabeled_dirs" lineno="2878">
+<interface name="kernel_manage_unlabeled_dirs" lineno="2916">
 <summary>
 Create, read, write, and delete unlabeled directories.
 </summary>
@@ -70222,7 +70541,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_mounton_unlabeled_dirs" lineno="2896">
+<interface name="kernel_mounton_unlabeled_dirs" lineno="2934">
 <summary>
 Mount a filesystem on an unlabeled directory.
 </summary>
@@ -70232,7 +70551,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_read_unlabeled_files" lineno="2914">
+<interface name="kernel_read_unlabeled_files" lineno="2952">
 <summary>
 Read unlabeled files.
 </summary>
@@ -70242,7 +70561,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_rw_unlabeled_files" lineno="2932">
+<interface name="kernel_rw_unlabeled_files" lineno="2970">
 <summary>
 Read and write unlabeled files.
 </summary>
@@ -70252,7 +70571,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_delete_unlabeled_files" lineno="2950">
+<interface name="kernel_delete_unlabeled_files" lineno="2988">
 <summary>
 Delete unlabeled files.
 </summary>
@@ -70262,7 +70581,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_manage_unlabeled_files" lineno="2968">
+<interface name="kernel_manage_unlabeled_files" lineno="3006">
 <summary>
 Create, read, write, and delete unlabeled files.
 </summary>
@@ -70272,7 +70591,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_getattr_unlabeled_files" lineno="2987">
+<interface name="kernel_dontaudit_getattr_unlabeled_files" lineno="3025">
 <summary>
 Do not audit attempts by caller to get the
 attributes of an unlabeled file.
@@ -70283,7 +70602,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_read_unlabeled_files" lineno="3006">
+<interface name="kernel_dontaudit_read_unlabeled_files" lineno="3044">
 <summary>
 Do not audit attempts by caller to
 read an unlabeled file.
@@ -70294,7 +70613,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_unlabeled_filetrans" lineno="3040">
+<interface name="kernel_unlabeled_filetrans" lineno="3078">
 <summary>
 Create an object in unlabeled directories
 with a private type.
@@ -70320,7 +70639,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="kernel_delete_unlabeled_symlinks" lineno="3058">
+<interface name="kernel_delete_unlabeled_symlinks" lineno="3096">
 <summary>
 Delete unlabeled symbolic links.
 </summary>
@@ -70330,7 +70649,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_manage_unlabeled_symlinks" lineno="3076">
+<interface name="kernel_manage_unlabeled_symlinks" lineno="3114">
 <summary>
 Create, read, write, and delete unlabeled symbolic links.
 </summary>
@@ -70340,7 +70659,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_getattr_unlabeled_symlinks" lineno="3095">
+<interface name="kernel_dontaudit_getattr_unlabeled_symlinks" lineno="3133">
 <summary>
 Do not audit attempts by caller to get the
 attributes of unlabeled symbolic links.
@@ -70351,7 +70670,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_getattr_unlabeled_pipes" lineno="3114">
+<interface name="kernel_dontaudit_getattr_unlabeled_pipes" lineno="3152">
 <summary>
 Do not audit attempts by caller to get the
 attributes of unlabeled named pipes.
@@ -70362,7 +70681,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_getattr_unlabeled_sockets" lineno="3133">
+<interface name="kernel_dontaudit_getattr_unlabeled_sockets" lineno="3171">
 <summary>
 Do not audit attempts by caller to get the
 attributes of unlabeled named sockets.
@@ -70373,7 +70692,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_getattr_unlabeled_blk_files" lineno="3152">
+<interface name="kernel_dontaudit_getattr_unlabeled_blk_files" lineno="3190">
 <summary>
 Do not audit attempts by caller to get attributes for
 unlabeled block devices.
@@ -70384,7 +70703,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_rw_unlabeled_blk_files" lineno="3170">
+<interface name="kernel_rw_unlabeled_blk_files" lineno="3208">
 <summary>
 Read and write unlabeled block device nodes.
 </summary>
@@ -70394,7 +70713,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_delete_unlabeled_blk_files" lineno="3188">
+<interface name="kernel_delete_unlabeled_blk_files" lineno="3226">
 <summary>
 Delete unlabeled block device nodes.
 </summary>
@@ -70404,7 +70723,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_manage_unlabeled_blk_files" lineno="3206">
+<interface name="kernel_manage_unlabeled_blk_files" lineno="3244">
 <summary>
 Create, read, write, and delete unlabeled block device nodes.
 </summary>
@@ -70414,7 +70733,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_getattr_unlabeled_chr_files" lineno="3225">
+<interface name="kernel_dontaudit_getattr_unlabeled_chr_files" lineno="3263">
 <summary>
 Do not audit attempts by caller to get attributes for
 unlabeled character devices.
@@ -70425,7 +70744,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_write_unlabeled_chr_files" lineno="3244">
+<interface name="kernel_dontaudit_write_unlabeled_chr_files" lineno="3282">
 <summary>
 Do not audit attempts to
 write unlabeled character devices.
@@ -70436,7 +70755,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_delete_unlabeled_chr_files" lineno="3262">
+<interface name="kernel_delete_unlabeled_chr_files" lineno="3300">
 <summary>
 Delete unlabeled character device nodes.
 </summary>
@@ -70446,7 +70765,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_manage_unlabeled_chr_files" lineno="3281">
+<interface name="kernel_manage_unlabeled_chr_files" lineno="3319">
 <summary>
 Create, read, write, and delete unlabeled character device nodes.
 </summary>
@@ -70456,7 +70775,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_relabelfrom_unlabeled_dirs" lineno="3299">
+<interface name="kernel_relabelfrom_unlabeled_dirs" lineno="3337">
 <summary>
 Allow caller to relabel unlabeled directories.
 </summary>
@@ -70466,7 +70785,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_relabelfrom_unlabeled_files" lineno="3317">
+<interface name="kernel_relabelfrom_unlabeled_files" lineno="3355">
 <summary>
 Allow caller to relabel unlabeled files.
 </summary>
@@ -70476,7 +70795,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_relabelfrom_unlabeled_symlinks" lineno="3336">
+<interface name="kernel_relabelfrom_unlabeled_symlinks" lineno="3374">
 <summary>
 Allow caller to relabel unlabeled symbolic links.
 </summary>
@@ -70486,7 +70805,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_relabelfrom_unlabeled_pipes" lineno="3355">
+<interface name="kernel_relabelfrom_unlabeled_pipes" lineno="3393">
 <summary>
 Allow caller to relabel unlabeled named pipes.
 </summary>
@@ -70496,7 +70815,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_delete_unlabeled_pipes" lineno="3374">
+<interface name="kernel_delete_unlabeled_pipes" lineno="3412">
 <summary>
 Delete unlabeled named pipes
 </summary>
@@ -70506,7 +70825,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_relabelfrom_unlabeled_sockets" lineno="3392">
+<interface name="kernel_relabelfrom_unlabeled_sockets" lineno="3430">
 <summary>
 Allow caller to relabel unlabeled named sockets.
 </summary>
@@ -70516,7 +70835,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_delete_unlabeled_sockets" lineno="3411">
+<interface name="kernel_delete_unlabeled_sockets" lineno="3449">
 <summary>
 Delete unlabeled named sockets.
 </summary>
@@ -70526,7 +70845,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_relabelfrom_unlabeled_blk_devs" lineno="3429">
+<interface name="kernel_relabelfrom_unlabeled_blk_devs" lineno="3467">
 <summary>
 Allow caller to relabel from unlabeled block devices.
 </summary>
@@ -70536,7 +70855,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_relabelfrom_unlabeled_chr_devs" lineno="3447">
+<interface name="kernel_relabelfrom_unlabeled_chr_devs" lineno="3485">
 <summary>
 Allow caller to relabel from unlabeled character devices.
 </summary>
@@ -70546,7 +70865,18 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_sendrecv_unlabeled_association" lineno="3480">
+<interface name="kernel_setattr_all_unlabeled" lineno="3504">
+<summary>
+Allow caller set the attributes on all unlabeled
+directory and file objects.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_sendrecv_unlabeled_association" lineno="3537">
 <summary>
 Send and receive messages from an
 unlabeled IPSEC association.
@@ -70571,7 +70901,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_sendrecv_unlabeled_association" lineno="3513">
+<interface name="kernel_dontaudit_sendrecv_unlabeled_association" lineno="3570">
 <summary>
 Do not audit attempts to send and receive messages
 from an	unlabeled IPSEC association.
@@ -70596,7 +70926,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_tcp_recvfrom_unlabeled" lineno="3540">
+<interface name="kernel_tcp_recvfrom_unlabeled" lineno="3597">
 <summary>
 Receive TCP packets from an unlabeled connection.
 </summary>
@@ -70615,7 +70945,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_tcp_recvfrom_unlabeled" lineno="3569">
+<interface name="kernel_dontaudit_tcp_recvfrom_unlabeled" lineno="3626">
 <summary>
 Do not audit attempts to receive TCP packets from an unlabeled
 connection.
@@ -70636,7 +70966,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_udp_recvfrom_unlabeled" lineno="3596">
+<interface name="kernel_udp_recvfrom_unlabeled" lineno="3653">
 <summary>
 Receive UDP packets from an unlabeled connection.
 </summary>
@@ -70655,7 +70985,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_udp_recvfrom_unlabeled" lineno="3625">
+<interface name="kernel_dontaudit_udp_recvfrom_unlabeled" lineno="3682">
 <summary>
 Do not audit attempts to receive UDP packets from an unlabeled
 connection.
@@ -70676,7 +71006,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_raw_recvfrom_unlabeled" lineno="3652">
+<interface name="kernel_raw_recvfrom_unlabeled" lineno="3709">
 <summary>
 Receive Raw IP packets from an unlabeled connection.
 </summary>
@@ -70695,7 +71025,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_raw_recvfrom_unlabeled" lineno="3681">
+<interface name="kernel_dontaudit_raw_recvfrom_unlabeled" lineno="3738">
 <summary>
 Do not audit attempts to receive Raw IP packets from an unlabeled
 connection.
@@ -70716,7 +71046,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_sendrecv_unlabeled_packets" lineno="3711">
+<interface name="kernel_sendrecv_unlabeled_packets" lineno="3768">
 <summary>
 Send and receive unlabeled packets.
 </summary>
@@ -70738,7 +71068,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_recvfrom_unlabeled_peer" lineno="3739">
+<interface name="kernel_recvfrom_unlabeled_peer" lineno="3796">
 <summary>
 Receive packets from an unlabeled peer.
 </summary>
@@ -70758,7 +71088,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_recvfrom_unlabeled_peer" lineno="3767">
+<interface name="kernel_dontaudit_recvfrom_unlabeled_peer" lineno="3824">
 <summary>
 Do not audit attempts to receive packets from an unlabeled peer.
 </summary>
@@ -70778,7 +71108,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_relabelfrom_unlabeled_database" lineno="3785">
+<interface name="kernel_relabelfrom_unlabeled_database" lineno="3842">
 <summary>
 Relabel from unlabeled database objects.
 </summary>
@@ -70788,7 +71118,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_unconfined" lineno="3822">
+<interface name="kernel_unconfined" lineno="3879">
 <summary>
 Unconfined access to kernel module resources.
 </summary>
@@ -70798,7 +71128,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_read_vm_overcommit_sysctl" lineno="3842">
+<interface name="kernel_read_vm_overcommit_sysctl" lineno="3899">
 <summary>
 Read virtual memory overcommit sysctl.
 </summary>
@@ -70809,7 +71139,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_rw_vm_overcommit_sysctl" lineno="3862">
+<interface name="kernel_rw_vm_overcommit_sysctl" lineno="3919">
 <summary>
 Read and write virtual memory overcommit sysctl.
 </summary>
@@ -70820,7 +71150,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_ib_access_unlabeled_pkeys" lineno="3881">
+<interface name="kernel_ib_access_unlabeled_pkeys" lineno="3938">
 <summary>
 Access unlabeled infiniband pkeys.
 </summary>
@@ -70830,7 +71160,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_ib_manage_subnet_unlabeled_endports" lineno="3899">
+<interface name="kernel_ib_manage_subnet_unlabeled_endports" lineno="3956">
 <summary>
 Manage subnet on unlabeled Infiniband endports.
 </summary>
@@ -72269,7 +72599,18 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_setattr_scsi_generic_dev_dev" lineno="553">
+<interface name="storage_delete_scsi_generic_dev" lineno="553">
+<summary>
+Allow the caller to delete the generic
+SCSI interface device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="storage_setattr_scsi_generic_dev_dev" lineno="573">
 <summary>
 Set attributes of the device nodes
 for the SCSI generic interface.
@@ -72280,7 +72621,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_dontaudit_rw_scsi_generic" lineno="573">
+<interface name="storage_dontaudit_rw_scsi_generic" lineno="593">
 <summary>
 Do not audit attempts to read or write
 SCSI generic device interfaces.
@@ -72291,7 +72632,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="storage_getattr_removable_dev" lineno="592">
+<interface name="storage_getattr_removable_dev" lineno="612">
 <summary>
 Allow the caller to get the attributes of removable
 devices device nodes.
@@ -72302,7 +72643,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_dontaudit_getattr_removable_dev" lineno="612">
+<interface name="storage_dontaudit_getattr_removable_dev" lineno="632">
 <summary>
 Do not audit attempts made by the caller to get
 the attributes of removable devices device nodes.
@@ -72313,7 +72654,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="storage_dontaudit_read_removable_device" lineno="631">
+<interface name="storage_dontaudit_read_removable_device" lineno="651">
 <summary>
 Do not audit attempts made by the caller to read
 removable devices device nodes.
@@ -72324,7 +72665,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="storage_dontaudit_write_removable_device" lineno="651">
+<interface name="storage_dontaudit_write_removable_device" lineno="671">
 <summary>
 Do not audit attempts made by the caller to write
 removable devices device nodes.
@@ -72335,7 +72676,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="storage_setattr_removable_dev" lineno="670">
+<interface name="storage_setattr_removable_dev" lineno="690">
 <summary>
 Allow the caller to set the attributes of removable
 devices device nodes.
@@ -72346,7 +72687,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_dontaudit_setattr_removable_dev" lineno="690">
+<interface name="storage_dontaudit_setattr_removable_dev" lineno="710">
 <summary>
 Do not audit attempts made by the caller to set
 the attributes of removable devices device nodes.
@@ -72357,7 +72698,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="storage_raw_read_removable_device" lineno="712">
+<interface name="storage_raw_read_removable_device" lineno="732">
 <summary>
 Allow the caller to directly read from
 a removable device.
@@ -72371,7 +72712,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_dontaudit_raw_read_removable_device" lineno="731">
+<interface name="storage_dontaudit_raw_read_removable_device" lineno="751">
 <summary>
 Do not audit attempts to directly read removable devices.
 </summary>
@@ -72381,7 +72722,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="storage_raw_write_removable_device" lineno="753">
+<interface name="storage_raw_write_removable_device" lineno="773">
 <summary>
 Allow the caller to directly write to
 a removable device.
@@ -72395,7 +72736,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_dontaudit_raw_write_removable_device" lineno="772">
+<interface name="storage_dontaudit_raw_write_removable_device" lineno="792">
 <summary>
 Do not audit attempts to directly write removable devices.
 </summary>
@@ -72405,7 +72746,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="storage_read_tape" lineno="791">
+<interface name="storage_read_tape" lineno="811">
 <summary>
 Allow the caller to directly read
 a tape device.
@@ -72416,7 +72757,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_write_tape" lineno="811">
+<interface name="storage_write_tape" lineno="831">
 <summary>
 Allow the caller to directly write
 a tape device.
@@ -72427,7 +72768,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_getattr_tape_dev" lineno="831">
+<interface name="storage_getattr_tape_dev" lineno="851">
 <summary>
 Allow the caller to get the attributes
 of device nodes of tape devices.
@@ -72438,7 +72779,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_setattr_tape_dev" lineno="851">
+<interface name="storage_setattr_tape_dev" lineno="871">
 <summary>
 Allow the caller to set the attributes
 of device nodes of tape devices.
@@ -72449,7 +72790,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_unconfined" lineno="870">
+<interface name="storage_unconfined" lineno="890">
 <summary>
 Unconfined access to storage devices.
 </summary>
@@ -77067,7 +77408,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="chronyd_startstop" lineno="273">
+<interface name="chronyd_startstop" lineno="274">
 <summary>
 Allow specified domain to start and stop chronyd unit
 </summary>
@@ -77077,7 +77418,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="chronyd_status" lineno="292">
+<interface name="chronyd_status" lineno="294">
 <summary>
 Allow specified domain to get status of chronyd unit
 </summary>
@@ -77087,7 +77428,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="chronyd_dgram_send_cli" lineno="312">
+<interface name="chronyd_dgram_send_cli" lineno="314">
 <summary>
 Send to chronyd command line interface using a unix domain
 datagram socket.
@@ -77098,7 +77439,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="chronyd_admin" lineno="338">
+<interface name="chronyd_admin" lineno="340">
 <summary>
 All of the rules required to
 administrate an chronyd environment.
@@ -77515,6 +77856,194 @@ nfs file systems.
 </desc>
 </tunable>
 </module>
+<module name="cockpit" filename="policy/modules/services/cockpit.if">
+<summary>Cockpit web management system for Linux</summary>
+
+<desc>
+Cockpit is a web console that enables users to administer Linux servers
+via a web browser.
+see https://cockpit-project.org/
+
+For linux logins that are allowed access they must be associated with a
+SELinux user that uses ssh_role_template (sysadm, system).  To be able
+to alter system settings the must be allowed sudo access.
+</desc>
+<template name="cockpit_role_template" lineno="46">
+<summary>
+The role template for the cockpit module.
+</summary>
+<desc>
+<p>
+This template creates a derived domain which is allowed
+to change the linux user id, to run commands as a different
+user.
+</p>
+</desc>
+<param name="role_prefix">
+<summary>
+The prefix of the user role (e.g., user
+is the prefix for user_r).
+</summary>
+</param>
+<param name="user_domain">
+<summary>
+User domain for the role.
+</summary>
+</param>
+<param name="user_exec_domain">
+<summary>
+User exec domain for execute access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+</template>
+<interface name="cockpit_domtrans_session" lineno="84">
+<summary>
+Transition to the cockpit session domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="cockpit_get_service_status" lineno="103">
+<summary>
+Allow specified domain to get status of cockpit service
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cockpit_enabledisable" lineno="122">
+<summary>
+Allow specified domain to enable cockpit units
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cockpit_startstop" lineno="142">
+<summary>
+Allow specified domain to start cockpit units
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cockpit_manage_runtime_symlnks" lineno="162">
+<summary>
+Create, read, write, and delete the cockpick runtime symlink files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cockpit_use_session_fds" lineno="181">
+<summary>
+Inherit and use cockpit session file descriptors.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cockpit_rw_session_pipes" lineno="199">
+<summary>
+Read and write cockpit session unnamed pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cockpit_use_ws_fds" lineno="217">
+<summary>
+Inherit and use cockpit web service file descriptors.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cockpit_rw_ws_stream_sockets" lineno="235">
+<summary>
+Read and write cockpit web service stream socket
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cockpit_manage_cert_files" lineno="253">
+<summary>
+Manage the cockpit certificate files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cockpit_read_cert_files" lineno="271">
+<summary>
+Read cockpit certificate files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cockpit_delete_cert_files" lineno="291">
+<summary>
+Delete cockpit certificate files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cockpit_send_signal" lineno="311">
+<summary>
+Allow cockpit to send signals to another domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to send to,
+</summary>
+</param>
+</interface>
+<interface name="cockpit_admin" lineno="331">
+<summary>
+All of the rules required to administrate
+an cockpit environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
 <module name="collectd" filename="policy/modules/services/collectd.if">
 <summary>Statistics collection daemon for filling RRD files.</summary>
 <interface name="collectd_admin" lineno="20">
@@ -78056,7 +78585,19 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="container_stream_connect_system_engine" lineno="681">
+<interface name="container_fusefs_domtrans_spc" lineno="682">
+<summary>
+Execute FUSEFS files with a type
+transition to the super privileged
+container type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="container_stream_connect_system_engine" lineno="701">
 <summary>
 Connect to a system container engine
 domain over a unix stream socket.
@@ -78067,7 +78608,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_stream_connect_system_containers" lineno="703">
+<interface name="container_stream_connect_system_containers" lineno="723">
 <summary>
 Connect to a system container domain
 over a unix stream socket.
@@ -78078,7 +78619,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_stream_connect_user_containers" lineno="725">
+<interface name="container_stream_connect_user_containers" lineno="745">
 <summary>
 Connect to a user container domain
 over a unix stream socket.
@@ -78089,7 +78630,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_stream_connect_spc" lineno="747">
+<interface name="container_stream_connect_spc" lineno="767">
 <summary>
 Connect to super privileged containers
 over a unix stream socket.
@@ -78100,7 +78641,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_rw_spc_tcp_sockets" lineno="769">
+<interface name="container_rw_spc_tcp_sockets" lineno="789">
 <summary>
 Read and write super privileged
 container TCP sockets.
@@ -78111,7 +78652,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_stream_connect_all_containers" lineno="788">
+<interface name="container_stream_connect_all_containers" lineno="808">
 <summary>
 Connect to a container domain
 over a unix stream socket.
@@ -78122,7 +78663,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_stream_connect_spec_container" lineno="810">
+<interface name="container_stream_connect_spec_container" lineno="830">
 <summary>
 Connect to the specified container
 domain over a unix stream socket.
@@ -78133,7 +78674,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_kill_all_containers" lineno="831">
+<interface name="container_kill_all_containers" lineno="851">
 <summary>
 Allow the specified domain to
 send a kill signal to all containers.
@@ -78144,7 +78685,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="container_signal_all_containers" lineno="851">
+<interface name="container_signal_all_containers" lineno="871">
 <summary>
 Allow the specified domain to
 send all signals to a container
@@ -78156,7 +78697,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="container_dev_filetrans" lineno="880">
+<interface name="container_dev_filetrans" lineno="900">
 <summary>
 Create objects in /dev with an automatic
 transition to the container device type.
@@ -78177,7 +78718,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="container_rw_device_files" lineno="898">
+<interface name="container_rw_device_files" lineno="918">
 <summary>
 Read and write container device files.
 </summary>
@@ -78187,7 +78728,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_device_files" lineno="916">
+<interface name="container_manage_device_files" lineno="936">
 <summary>
 Manage container device files.
 </summary>
@@ -78197,7 +78738,28 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_mounton_all_devices" lineno="934">
+<interface name="container_getattr_device_blk_files" lineno="955">
+<summary>
+Get the attributes of container device
+block files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="container_read_device_blk_files" lineno="973">
+<summary>
+Read container device block files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="container_mounton_all_devices" lineno="991">
 <summary>
 Mount on all container devices.
 </summary>
@@ -78207,7 +78769,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_setattr_container_ptys" lineno="952">
+<interface name="container_setattr_container_ptys" lineno="1009">
 <summary>
 Set the attributes of container ptys.
 </summary>
@@ -78217,7 +78779,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_use_container_ptys" lineno="970">
+<interface name="container_use_container_ptys" lineno="1027">
 <summary>
 Read and write container ptys.
 </summary>
@@ -78227,7 +78789,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_mountpoint" lineno="989">
+<interface name="container_mountpoint" lineno="1046">
 <summary>
 Make the specified type usable as a mountpoint
 for containers.
@@ -78238,7 +78800,7 @@ Type to be used as a mountpoint.
 </summary>
 </param>
 </interface>
-<interface name="container_list_plugin_dirs" lineno="1009">
+<interface name="container_list_plugin_dirs" lineno="1066">
 <summary>
 Allow the specified domain to
 list the contents of container
@@ -78250,7 +78812,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_watch_plugin_dirs" lineno="1029">
+<interface name="container_watch_plugin_dirs" lineno="1086">
 <summary>
 Allow the specified domain to
 add a watch on container plugin
@@ -78262,7 +78824,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_plugin_files" lineno="1048">
+<interface name="container_manage_plugin_files" lineno="1105">
 <summary>
 Allow the specified domain to
 manage container plugin files.
@@ -78273,7 +78835,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_exec_plugins" lineno="1067">
+<interface name="container_exec_plugins" lineno="1124">
 <summary>
 Allow the specified domain to
 execute container plugins.
@@ -78284,7 +78846,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_search_config" lineno="1087">
+<interface name="container_search_config" lineno="1144">
 <summary>
 Allow the specified domain to
 search container config directories.
@@ -78295,7 +78857,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_read_config" lineno="1107">
+<interface name="container_read_config" lineno="1164">
 <summary>
 Allow the specified domain to
 read container config files.
@@ -78306,7 +78868,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_watch_config_dirs" lineno="1127">
+<interface name="container_watch_config_dirs" lineno="1184">
 <summary>
 Allow the specified domain to
 watch container config directories.
@@ -78317,7 +78879,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_create_config_files" lineno="1146">
+<interface name="container_create_config_files" lineno="1203">
 <summary>
 Allow the specified domain to
 create container config files.
@@ -78328,7 +78890,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_rw_config_files" lineno="1165">
+<interface name="container_rw_config_files" lineno="1222">
 <summary>
 Allow the specified domain to read
 and write container config files.
@@ -78339,7 +78901,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_config_files" lineno="1184">
+<interface name="container_manage_config_files" lineno="1241">
 <summary>
 Allow the specified domain to
 manage container config files.
@@ -78350,7 +78912,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_file_root_filetrans" lineno="1205">
+<interface name="container_file_root_filetrans" lineno="1262">
 <summary>
 Allow the specified domain to
 create container files in the
@@ -78363,7 +78925,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_dirs" lineno="1224">
+<interface name="container_manage_dirs" lineno="1281">
 <summary>
 Allow the specified domain to
 manage container file directories.
@@ -78374,7 +78936,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_watch_dirs" lineno="1243">
+<interface name="container_watch_dirs" lineno="1300">
 <summary>
 Allow the specified domain to
 watch container file directories.
@@ -78385,7 +78947,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_files" lineno="1262">
+<interface name="container_manage_files" lineno="1319">
 <summary>
 Allow the specified domain to
 manage container files.
@@ -78396,7 +78958,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_dontaudit_relabel_dirs" lineno="1281">
+<interface name="container_dontaudit_relabel_dirs" lineno="1338">
 <summary>
 Do not audit attempts to relabel
 container file directories.
@@ -78407,7 +78969,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="container_dontaudit_relabel_files" lineno="1300">
+<interface name="container_dontaudit_relabel_files" lineno="1357">
 <summary>
 Do not audit attempts to relabel
 container files.
@@ -78418,7 +78980,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_lnk_files" lineno="1319">
+<interface name="container_manage_lnk_files" lineno="1376">
 <summary>
 Allow the specified domain to
 manage container lnk files.
@@ -78429,7 +78991,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_rw_fifo_files" lineno="1338">
+<interface name="container_rw_fifo_files" lineno="1395">
 <summary>
 Allow the specified domain to
 read and write container fifo files.
@@ -78440,7 +79002,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_fifo_files" lineno="1357">
+<interface name="container_manage_fifo_files" lineno="1414">
 <summary>
 Allow the specified domain to
 manage container fifo files.
@@ -78451,7 +79013,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_sock_files" lineno="1376">
+<interface name="container_manage_sock_files" lineno="1433">
 <summary>
 Allow the specified domain to
 manage container sock files.
@@ -78462,7 +79024,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_rw_chr_files" lineno="1395">
+<interface name="container_rw_chr_files" lineno="1452">
 <summary>
 Allow the specified domain to read
 and write container chr files.
@@ -78473,7 +79035,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_dontaudit_rw_chr_files" lineno="1414">
+<interface name="container_dontaudit_rw_chr_files" lineno="1471">
 <summary>
 Do not audit attempts to read
 and write container chr files.
@@ -78484,7 +79046,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_chr_files" lineno="1433">
+<interface name="container_manage_chr_files" lineno="1490">
 <summary>
 Allow the specified domain to
 manage container chr files.
@@ -78495,7 +79057,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_spec_filetrans_file" lineno="1469">
+<interface name="container_spec_filetrans_file" lineno="1526">
 <summary>
 Allow the specified domain to create
 objects in specified directories with
@@ -78523,7 +79085,19 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="container_list_ro_dirs" lineno="1489">
+<interface name="container_getattr_all_files" lineno="1546">
+<summary>
+Allow the specified domain to get
+the attributes of all container
+file objects.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="container_list_ro_dirs" lineno="1566">
 <summary>
 Allow the specified domain to list
 the contents of read-only container
@@ -78535,7 +79109,29 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_home_config" lineno="1508">
+<interface name="container_getattr_all_ro_files" lineno="1586">
+<summary>
+Allow the specified domain to get
+the attributes of all read-only
+container file objects.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="container_read_home_config" lineno="1604">
+<summary>
+Read container config home content.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="container_manage_home_config" lineno="1625">
 <summary>
 Allow the specified domain to
 manage container config home content.
@@ -78546,7 +79142,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_config_home_filetrans" lineno="1540">
+<interface name="container_config_home_filetrans" lineno="1657">
 <summary>
 Allow the specified domain to create
 objects in an xdg_config directory
@@ -78569,7 +79165,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_home_data_files" lineno="1560">
+<interface name="container_manage_home_data_files" lineno="1677">
 <summary>
 Allow the specified domain to
 manage container data home files.
@@ -78580,7 +79176,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_home_data_fifo_files" lineno="1580">
+<interface name="container_manage_home_data_fifo_files" lineno="1697">
 <summary>
 Allow the specified domain to
 manage container data home named
@@ -78592,7 +79188,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_home_data_sock_files" lineno="1600">
+<interface name="container_manage_home_data_sock_files" lineno="1717">
 <summary>
 Allow the specified domain to
 manage container data home named
@@ -78604,7 +79200,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_admin_all_files" lineno="1618">
+<interface name="container_admin_all_files" lineno="1735">
 <summary>
 Administrate all container files.
 </summary>
@@ -78614,7 +79210,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_admin_all_ro_files" lineno="1638">
+<interface name="container_admin_all_ro_files" lineno="1755">
 <summary>
 Administrate all container read-only files.
 </summary>
@@ -78624,7 +79220,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_admin_all_user_runtime_content" lineno="1660">
+<interface name="container_admin_all_user_runtime_content" lineno="1777">
 <summary>
 All of the rules necessary for a user
 to manage user container runtime data
@@ -78636,7 +79232,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_all_home_content" lineno="1680">
+<interface name="container_manage_all_home_content" lineno="1797">
 <summary>
 All of the rules necessary for a user
 to manage container data in their home
@@ -78648,7 +79244,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_relabel_all_content" lineno="1724">
+<interface name="container_relabel_all_content" lineno="1841">
 <summary>
 Allow the specified domain to
 relabel container files and
@@ -78660,7 +79256,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_remount_fs" lineno="1743">
+<interface name="container_remount_fs" lineno="1860">
 <summary>
 Allow the specified domain to
 remount container filesystems.
@@ -78671,7 +79267,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_relabel_fs" lineno="1762">
+<interface name="container_relabel_fs" lineno="1879">
 <summary>
 Allow the specified domain to
 relabel container filesystems.
@@ -78682,7 +79278,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_getattr_fs" lineno="1782">
+<interface name="container_getattr_fs" lineno="1899">
 <summary>
 Allow the specified domain to
 get the attributes of container
@@ -78694,7 +79290,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_search_runtime" lineno="1801">
+<interface name="container_search_runtime" lineno="1918">
 <summary>
 Allow the specified domain to search
 runtime container directories.
@@ -78705,7 +79301,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_read_runtime_files" lineno="1821">
+<interface name="container_read_runtime_files" lineno="1938">
 <summary>
 Allow the specified domain to read
 runtime container files.
@@ -78716,7 +79312,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_getattr_runtime_sock_files" lineno="1842">
+<interface name="container_getattr_runtime_sock_files" lineno="1959">
 <summary>
 Allow the specified domain to get
 the attributes runtime container of
@@ -78728,7 +79324,18 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_runtime_files" lineno="1861">
+<interface name="container_create_runtime_dirs" lineno="1978">
+<summary>
+Allow the specified domain to create
+runtime container directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="container_manage_runtime_files" lineno="1997">
 <summary>
 Allow the specified domain to manage
 runtime container files.
@@ -78739,7 +79346,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_runtime_fifo_files" lineno="1880">
+<interface name="container_manage_runtime_fifo_files" lineno="2016">
 <summary>
 Allow the specified domain to manage
 runtime container named pipes.
@@ -78750,7 +79357,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_runtime_lnk_files" lineno="1899">
+<interface name="container_manage_runtime_lnk_files" lineno="2035">
 <summary>
 Allow the specified domain to manage
 runtime container symlinks.
@@ -78761,7 +79368,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_runtime_sock_files" lineno="1918">
+<interface name="container_manage_runtime_sock_files" lineno="2054">
 <summary>
 Allow the specified domain to manage
 runtime container named sockets.
@@ -78772,7 +79379,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_user_runtime_files" lineno="1937">
+<interface name="container_manage_user_runtime_files" lineno="2073">
 <summary>
 Allow the specified domain to manage
 user runtime container files.
@@ -78783,7 +79390,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_rw_user_runtime_sock_files" lineno="1956">
+<interface name="container_rw_user_runtime_sock_files" lineno="2092">
 <summary>
 Allow the specified domain to read and
 write user runtime container named sockets.
@@ -78794,7 +79401,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_search_var_lib" lineno="1975">
+<interface name="container_search_var_lib" lineno="2111">
 <summary>
 Allow the specified domain to search
 container directories in /var/lib.
@@ -78805,7 +79412,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_list_var_lib" lineno="1996">
+<interface name="container_list_var_lib" lineno="2132">
 <summary>
 Allow the specified domain to list
 the contents of container directories
@@ -78817,7 +79424,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_var_lib_dirs" lineno="2016">
+<interface name="container_manage_var_lib_dirs" lineno="2152">
 <summary>
 Allow the specified domain to manage
 container file directories in /var/lib.
@@ -78828,7 +79435,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_read_var_lib_files" lineno="2035">
+<interface name="container_read_var_lib_files" lineno="2171">
 <summary>
 Allow the specified domain to read
 container files in /var/lib.
@@ -78839,7 +79446,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_var_lib_files" lineno="2054">
+<interface name="container_manage_var_lib_files" lineno="2190">
 <summary>
 Allow the specified domain to manage
 container files in /var/lib.
@@ -78850,7 +79457,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_map_var_lib_files" lineno="2073">
+<interface name="container_map_var_lib_files" lineno="2209">
 <summary>
 Allow the specified domain to memory
 map container files in /var/lib.
@@ -78861,7 +79468,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_var_lib_fifo_files" lineno="2092">
+<interface name="container_manage_var_lib_fifo_files" lineno="2228">
 <summary>
 Allow the specified domain to manage
 container named pipes in /var/lib.
@@ -78872,7 +79479,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_var_lib_lnk_files" lineno="2111">
+<interface name="container_manage_var_lib_lnk_files" lineno="2247">
 <summary>
 Allow the specified domain to manage
 container symlinks in /var/lib.
@@ -78883,7 +79490,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_var_lib_sock_files" lineno="2130">
+<interface name="container_manage_var_lib_sock_files" lineno="2266">
 <summary>
 Allow the specified domain to manage
 container named sockets in /var/lib.
@@ -78894,7 +79501,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_var_lib_filetrans" lineno="2160">
+<interface name="container_var_lib_filetrans" lineno="2296">
 <summary>
 Allow the specified domain to create
 objects in /var/lib with an automatic
@@ -78916,7 +79523,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="container_var_lib_filetrans_file" lineno="2190">
+<interface name="container_var_lib_filetrans_file" lineno="2326">
 <summary>
 Allow the specified domain to create
 objects in /var/lib with an automatic
@@ -78938,7 +79545,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="container_filetrans_var_lib_file" lineno="2221">
+<interface name="container_filetrans_var_lib_file" lineno="2357">
 <summary>
 Allow the specified domain to create
 objects in container /var/lib directories
@@ -78961,7 +79568,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="container_unlabeled_var_lib_filetrans" lineno="2253">
+<interface name="container_unlabeled_var_lib_filetrans" lineno="2389">
 <summary>
 Allow the specified domain to create
 objects in unlabeled directories with
@@ -78984,7 +79591,19 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="container_search_logs" lineno="2274">
+<interface name="container_getattr_all_var_lib_files" lineno="2411">
+<summary>
+Allow the specified domain to get
+the attributes of all container
+var lib objects.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="container_search_logs" lineno="2430">
 <summary>
 Allow the specified domain to search
 container log file directories.
@@ -78995,7 +79614,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_list_log_dirs" lineno="2294">
+<interface name="container_list_log_dirs" lineno="2450">
 <summary>
 Allow the specified domain to list
 the contents of container log directories.
@@ -79006,7 +79625,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_create_log_dirs" lineno="2313">
+<interface name="container_create_log_dirs" lineno="2469">
 <summary>
 Allow the specified domain to create
 container log file directories.
@@ -79017,7 +79636,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_log_dirs" lineno="2332">
+<interface name="container_manage_log_dirs" lineno="2488">
 <summary>
 Allow the specified domain to manage
 container log file directories.
@@ -79028,7 +79647,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_watch_log_dirs" lineno="2351">
+<interface name="container_watch_log_dirs" lineno="2507">
 <summary>
 Allow the specified domain to watch
 container log file directories.
@@ -79039,7 +79658,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_create_log_files" lineno="2370">
+<interface name="container_create_log_files" lineno="2526">
 <summary>
 Allow the specified domain to create
 container log files.
@@ -79050,7 +79669,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_append_log_files" lineno="2389">
+<interface name="container_append_log_files" lineno="2545">
 <summary>
 Allow the specified domain to append
 data to container log files.
@@ -79061,7 +79680,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_log_files" lineno="2408">
+<interface name="container_manage_log_files" lineno="2564">
 <summary>
 Allow the specified domain to manage
 container log files.
@@ -79072,7 +79691,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_watch_log_files" lineno="2427">
+<interface name="container_watch_log_files" lineno="2583">
 <summary>
 Allow the specified domain to watch
 container log files.
@@ -79083,7 +79702,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_log_filetrans" lineno="2458">
+<interface name="container_log_filetrans" lineno="2614">
 <summary>
 Allow the specified domain to create
 objects in log directories with an
@@ -79106,7 +79725,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_log_symlinks" lineno="2478">
+<interface name="container_manage_log_symlinks" lineno="2634">
 <summary>
 Allow the specified domain to manage
 container log symlinks.
@@ -79117,7 +79736,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_start_units" lineno="2497">
+<interface name="container_start_units" lineno="2653">
 <summary>
 Allow the specified domain to start
 systemd units for containers.
@@ -79128,7 +79747,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_admin" lineno="2524">
+<interface name="container_admin" lineno="2680">
 <summary>
 All of the rules required to
 administrate a container
@@ -80574,7 +81193,7 @@ User domain for the role
 </summary>
 </param>
 </template>
-<interface name="dbus_system_bus_client" lineno="140">
+<interface name="dbus_system_bus_client" lineno="155">
 <summary>
 Template for creating connections to
 the system bus.
@@ -80585,7 +81204,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_connect_all_session_bus" lineno="181">
+<interface name="dbus_connect_all_session_bus" lineno="196">
 <summary>
 Acquire service on all DBUS
 session busses.
@@ -80596,7 +81215,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<template name="dbus_connect_spec_session_bus" lineno="207">
+<template name="dbus_connect_spec_session_bus" lineno="222">
 <summary>
 Acquire service on specified
 DBUS session bus.
@@ -80613,7 +81232,7 @@ Domain allowed access.
 </summary>
 </param>
 </template>
-<interface name="dbus_all_session_bus_client" lineno="227">
+<interface name="dbus_all_session_bus_client" lineno="242">
 <summary>
 Creating connections to all
 DBUS session busses.
@@ -80624,7 +81243,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<template name="dbus_spec_session_bus_client" lineno="261">
+<template name="dbus_spec_session_bus_client" lineno="276">
 <summary>
 Creating connections to specified
 DBUS session bus.
@@ -80641,7 +81260,7 @@ Domain allowed access.
 </summary>
 </param>
 </template>
-<interface name="dbus_send_all_session_bus" lineno="288">
+<interface name="dbus_send_all_session_bus" lineno="303">
 <summary>
 Send messages to all DBUS
 session busses.
@@ -80652,7 +81271,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<template name="dbus_send_spec_session_bus" lineno="314">
+<template name="dbus_send_spec_session_bus" lineno="329">
 <summary>
 Send messages to specified
 DBUS session busses.
@@ -80669,7 +81288,7 @@ Domain allowed access.
 </summary>
 </param>
 </template>
-<interface name="dbus_getattr_session_runtime_socket" lineno="334">
+<interface name="dbus_getattr_session_runtime_socket" lineno="349">
 <summary>
 Allow the specified domain to get the
 attributes of the session dbus sock file.
@@ -80680,7 +81299,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_write_session_runtime_socket" lineno="353">
+<interface name="dbus_write_session_runtime_socket" lineno="368">
 <summary>
 Allow the specified domain to write to
 the session dbus sock file.
@@ -80691,7 +81310,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_read_config" lineno="371">
+<interface name="dbus_read_config" lineno="386">
 <summary>
 Read dbus configuration content.
 </summary>
@@ -80701,7 +81320,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_read_lib_files" lineno="390">
+<interface name="dbus_read_lib_files" lineno="405">
 <summary>
 Read system dbus lib files.
 </summary>
@@ -80711,7 +81330,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_relabel_lib_dirs" lineno="410">
+<interface name="dbus_relabel_lib_dirs" lineno="425">
 <summary>
 Relabel system dbus lib directory.
 </summary>
@@ -80721,7 +81340,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_manage_lib_files" lineno="430">
+<interface name="dbus_manage_lib_files" lineno="445">
 <summary>
 Create, read, write, and delete
 system dbus lib files.
@@ -80732,7 +81351,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_all_session_domain" lineno="456">
+<interface name="dbus_all_session_domain" lineno="471">
 <summary>
 Allow a application domain to be
 started by the specified session bus.
@@ -80749,7 +81368,7 @@ entry point to this domain.
 </summary>
 </param>
 </interface>
-<template name="dbus_spec_session_domain" lineno="490">
+<template name="dbus_spec_session_domain" lineno="505">
 <summary>
 Allow a application domain to be
 started by the specified session bus.
@@ -80772,7 +81391,7 @@ entry point to this domain.
 </summary>
 </param>
 </template>
-<interface name="dbus_connect_system_bus" lineno="511">
+<interface name="dbus_connect_system_bus" lineno="526">
 <summary>
 Acquire service on the DBUS system bus.
 </summary>
@@ -80782,7 +81401,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_send_system_bus" lineno="530">
+<interface name="dbus_send_system_bus" lineno="545">
 <summary>
 Send messages to the DBUS system bus.
 </summary>
@@ -80792,7 +81411,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_system_bus_unconfined" lineno="549">
+<interface name="dbus_system_bus_unconfined" lineno="564">
 <summary>
 Unconfined access to DBUS system bus.
 </summary>
@@ -80802,7 +81421,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_system_domain" lineno="574">
+<interface name="dbus_system_domain" lineno="589">
 <summary>
 Create a domain for processes which
 can be started by the DBUS system bus.
@@ -80818,7 +81437,7 @@ Type of the program to be used as an entry point to this domain.
 </summary>
 </param>
 </interface>
-<interface name="dbus_use_system_bus_fds" lineno="612">
+<interface name="dbus_use_system_bus_fds" lineno="627">
 <summary>
 Use and inherit DBUS system bus
 file descriptors.
@@ -80829,7 +81448,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_dontaudit_system_bus_rw_tcp_sockets" lineno="631">
+<interface name="dbus_dontaudit_system_bus_rw_tcp_sockets" lineno="646">
 <summary>
 Do not audit attempts to read and
 write DBUS system bus TCP sockets.
@@ -80840,7 +81459,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dbus_watch_system_bus_runtime_dirs" lineno="649">
+<interface name="dbus_watch_system_bus_runtime_dirs" lineno="664">
 <summary>
 Watch system bus runtime directories.
 </summary>
@@ -80850,7 +81469,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_read_system_bus_runtime_files" lineno="667">
+<interface name="dbus_read_system_bus_runtime_files" lineno="682">
 <summary>
 Read system bus runtime files.
 </summary>
@@ -80860,7 +81479,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_list_system_bus_runtime" lineno="686">
+<interface name="dbus_list_system_bus_runtime" lineno="701">
 <summary>
 List system bus runtime directories.
 </summary>
@@ -80870,7 +81489,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_watch_system_bus_runtime_named_sockets" lineno="704">
+<interface name="dbus_watch_system_bus_runtime_named_sockets" lineno="719">
 <summary>
 Watch system bus runtime named sockets.
 </summary>
@@ -80880,7 +81499,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_read_system_bus_runtime_named_sockets" lineno="722">
+<interface name="dbus_read_system_bus_runtime_named_sockets" lineno="737">
 <summary>
 Read system bus runtime named sockets.
 </summary>
@@ -80890,7 +81509,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_dontaudit_write_system_bus_runtime_named_sockets" lineno="741">
+<interface name="dbus_dontaudit_write_system_bus_runtime_named_sockets" lineno="756">
 <summary>
 Do not audit attempts to write to
 system bus runtime named sockets.
@@ -80901,7 +81520,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dbus_rw_session_tmp_sockets" lineno="759">
+<interface name="dbus_rw_session_tmp_sockets" lineno="774">
 <summary>
 Read and write session named sockets in the tmp directory (/tmp).
 </summary>
@@ -80911,7 +81530,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_unconfined" lineno="777">
+<interface name="dbus_unconfined" lineno="792">
 <summary>
 Unconfined access to DBUS.
 </summary>
@@ -80921,7 +81540,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_generic_pid_filetrans_system_dbusd_var_run" lineno="807">
+<interface name="dbus_generic_pid_filetrans_system_dbusd_var_run" lineno="822">
 <summary>
 Create resources in /run or /var/run with the system_dbusd_runtime_t
 label. This method is deprecated in favor of the init_daemon_run_dir
@@ -80943,7 +81562,7 @@ Optional file name used for the resource
 </summary>
 </param>
 </interface>
-<interface name="dbus_create_system_dbusd_var_run_dirs" lineno="821">
+<interface name="dbus_create_system_dbusd_var_run_dirs" lineno="836">
 <summary>
 Create directories with the system_dbusd_runtime_t label
 </summary>
@@ -82994,6 +83613,17 @@ Role allowed access.
 </param>
 <rolecap/>
 </interface>
+<tunable name="glusterfs_manage_unlabeled" dftval="false">
+<desc>
+<p>
+Allow the gluster daemon to manage unlabeled
+objects. This could happen if the underlying
+gluster brick experiences data corruption
+and you want to allow gluster to handle
+files with corrupted or missing xattrs.
+</p>
+</desc>
+</tunable>
 <tunable name="glusterfs_modify_policy" dftval="false">
 <desc>
 <p>
@@ -84725,7 +85355,29 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_getpgid_containers" lineno="315">
+<interface name="kubernetes_read_container_engine_state" lineno="314">
+<summary>
+Read the process state (/proc/pid) of
+kubernetes container engines.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kubernetes_dontaudit_search_engine_keys" lineno="333">
+<summary>
+Do not audit attempts to search
+kubernetes container engine keys.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kubernetes_getpgid_containers" lineno="353">
 <summary>
 Allow the specified domain to
 get the process group ID of all
@@ -84737,7 +85389,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_run_engine_bpf" lineno="334">
+<interface name="kubernetes_run_engine_bpf" lineno="372">
 <summary>
 Run kubernetes container engine bpf
 programs.
@@ -84748,7 +85400,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_search_config" lineno="352">
+<interface name="kubernetes_search_config" lineno="390">
 <summary>
 Search kubernetes config directories.
 </summary>
@@ -84758,7 +85410,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_read_config" lineno="371">
+<interface name="kubernetes_read_config" lineno="409">
 <summary>
 Read kubernetes config files and symlinks.
 </summary>
@@ -84768,7 +85420,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_mounton_config_dirs" lineno="391">
+<interface name="kubernetes_mounton_config_dirs" lineno="429">
 <summary>
 Mount on kubernetes config directories.
 </summary>
@@ -84778,7 +85430,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_watch_config_dirs" lineno="410">
+<interface name="kubernetes_watch_config_dirs" lineno="448">
 <summary>
 Allow the specified domain to watch
 kubernetes config directories.
@@ -84789,7 +85441,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_manage_config_files" lineno="428">
+<interface name="kubernetes_manage_config_files" lineno="466">
 <summary>
 Manage kubernetes config files.
 </summary>
@@ -84799,7 +85451,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_mounton_config_files" lineno="446">
+<interface name="kubernetes_mounton_config_files" lineno="484">
 <summary>
 Mount on kubernetes config files.
 </summary>
@@ -84809,7 +85461,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_watch_config_files" lineno="465">
+<interface name="kubernetes_watch_config_files" lineno="503">
 <summary>
 Allow the specified domain to watch
 kubernetes config files.
@@ -84820,7 +85472,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_search_plugin_dirs" lineno="485">
+<interface name="kubernetes_search_plugin_dirs" lineno="523">
 <summary>
 Allow the specified domain to search
 through the contents of kubernetes plugin
@@ -84832,7 +85484,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_list_plugins" lineno="506">
+<interface name="kubernetes_list_plugins" lineno="544">
 <summary>
 Allow the specified domain to list
 the contents of kubernetes plugin
@@ -84844,7 +85496,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_watch_plugin_dirs" lineno="525">
+<interface name="kubernetes_watch_plugin_dirs" lineno="563">
 <summary>
 Allow the specified domain to watch
 kubernetes plugin directories.
@@ -84855,7 +85507,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_manage_plugin_files" lineno="544">
+<interface name="kubernetes_manage_plugin_files" lineno="582">
 <summary>
 Allow the specified domain to manage
 kubernetes plugin files.
@@ -84866,7 +85518,77 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_list_tmpfs" lineno="563">
+<interface name="kubernetes_manage_runtime_dirs" lineno="600">
+<summary>
+Manage kubernetes runtime directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kubernetes_mounton_runtime_dirs" lineno="618">
+<summary>
+Mount on kubernetes runtime directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kubernetes_manage_runtime_files" lineno="636">
+<summary>
+Manage kubernetes runtime files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kubernetes_map_runtime_files" lineno="654">
+<summary>
+Memory map kubernetes runtime files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kubernetes_watch_runtime_files" lineno="672">
+<summary>
+Watch kubernetes runtime files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kubernetes_manage_runtime_symlinks" lineno="690">
+<summary>
+Manage kubernetes runtime symlinks.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kubernetes_manage_runtime_sock_files" lineno="708">
+<summary>
+Manage kubernetes runtime sock files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kubernetes_list_tmpfs" lineno="727">
 <summary>
 List the contents of kubernetes tmpfs
 directories.
@@ -84877,7 +85599,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_manage_tmpfs_dirs" lineno="581">
+<interface name="kubernetes_manage_tmpfs_dirs" lineno="745">
 <summary>
 Manage kubernetes tmpfs directories.
 </summary>
@@ -84887,7 +85609,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_watch_tmpfs_dirs" lineno="599">
+<interface name="kubernetes_watch_tmpfs_dirs" lineno="763">
 <summary>
 Watch kubernetes tmpfs directories.
 </summary>
@@ -84897,7 +85619,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_read_tmpfs_files" lineno="617">
+<interface name="kubernetes_read_tmpfs_files" lineno="781">
 <summary>
 Read kubernetes tmpfs files.
 </summary>
@@ -84907,7 +85629,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_manage_tmpfs_files" lineno="635">
+<interface name="kubernetes_manage_tmpfs_files" lineno="799">
 <summary>
 Manage kubernetes tmpfs files.
 </summary>
@@ -84917,7 +85639,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_watch_tmpfs_files" lineno="653">
+<interface name="kubernetes_watch_tmpfs_files" lineno="817">
 <summary>
 Watch kubernetes tmpfs files.
 </summary>
@@ -84927,7 +85649,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_read_tmpfs_symlinks" lineno="671">
+<interface name="kubernetes_read_tmpfs_symlinks" lineno="835">
 <summary>
 Read kubernetes tmpfs symlinks.
 </summary>
@@ -84937,7 +85659,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_manage_tmpfs_symlinks" lineno="689">
+<interface name="kubernetes_manage_tmpfs_symlinks" lineno="853">
 <summary>
 Manage kubernetes tmpfs symlinks.
 </summary>
@@ -84947,7 +85669,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_relabelfrom_tmpfs_dirs" lineno="708">
+<interface name="kubernetes_relabelfrom_tmpfs_dirs" lineno="872">
 <summary>
 Relabel directories from the kubernetes
 tmpfs type.
@@ -84958,7 +85680,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_relabelfrom_tmpfs_files" lineno="726">
+<interface name="kubernetes_relabelfrom_tmpfs_files" lineno="890">
 <summary>
 Relabel files from the kubernetes tmpfs type.
 </summary>
@@ -84968,7 +85690,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_relabelfrom_tmpfs_symlinks" lineno="744">
+<interface name="kubernetes_relabelfrom_tmpfs_symlinks" lineno="908">
 <summary>
 Relabel symlinks from the kubernetes tmpfs type.
 </summary>
@@ -84978,7 +85700,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_get_unit_status" lineno="762">
+<interface name="kubernetes_get_unit_status" lineno="926">
 <summary>
 Get the status of kubernetes systemd units.
 </summary>
@@ -84988,7 +85710,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_start_unit" lineno="781">
+<interface name="kubernetes_start_unit" lineno="945">
 <summary>
 Start kubernetes systemd units.
 </summary>
@@ -84998,7 +85720,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_stop_unit" lineno="800">
+<interface name="kubernetes_stop_unit" lineno="964">
 <summary>
 Stop kubernetes systemd units.
 </summary>
@@ -85008,7 +85730,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_reload_unit" lineno="819">
+<interface name="kubernetes_reload_unit" lineno="983">
 <summary>
 Reload kubernetes systemd units.
 </summary>
@@ -85018,7 +85740,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_admin" lineno="845">
+<interface name="kubernetes_admin" lineno="1009">
 <summary>
 All of the rules required to administrate
 a kubernetes environment.
@@ -90437,7 +91159,7 @@ Role allowed access
 </summary>
 </param>
 </template>
-<interface name="postgresql_loadable_module" lineno="125">
+<interface name="postgresql_loadable_module" lineno="123">
 <summary>
 Marks as a SE-PostgreSQL loadable shared library module
 </summary>
@@ -90447,7 +91169,7 @@ Type marked as a database object type.
 </summary>
 </param>
 </interface>
-<interface name="postgresql_database_object" lineno="143">
+<interface name="postgresql_database_object" lineno="141">
 <summary>
 Marks as a SE-PostgreSQL database object type
 </summary>
@@ -90457,7 +91179,7 @@ Type marked as a database object type.
 </summary>
 </param>
 </interface>
-<interface name="postgresql_schema_object" lineno="161">
+<interface name="postgresql_schema_object" lineno="159">
 <summary>
 Marks as a SE-PostgreSQL schema object type
 </summary>
@@ -90467,7 +91189,7 @@ Type marked as a schema object type.
 </summary>
 </param>
 </interface>
-<interface name="postgresql_table_object" lineno="179">
+<interface name="postgresql_table_object" lineno="177">
 <summary>
 Marks as a SE-PostgreSQL table/column/tuple object type
 </summary>
@@ -90477,7 +91199,7 @@ Type marked as a table/column/tuple object type.
 </summary>
 </param>
 </interface>
-<interface name="postgresql_system_table_object" lineno="197">
+<interface name="postgresql_system_table_object" lineno="195">
 <summary>
 Marks as a SE-PostgreSQL system table/column/tuple object type
 </summary>
@@ -90487,7 +91209,7 @@ Type marked as a table/column/tuple object type.
 </summary>
 </param>
 </interface>
-<interface name="postgresql_sequence_object" lineno="216">
+<interface name="postgresql_sequence_object" lineno="214">
 <summary>
 Marks as a SE-PostgreSQL sequence type
 </summary>
@@ -90497,7 +91219,7 @@ Type marked as a sequence type.
 </summary>
 </param>
 </interface>
-<interface name="postgresql_view_object" lineno="234">
+<interface name="postgresql_view_object" lineno="232">
 <summary>
 Marks as a SE-PostgreSQL view object type
 </summary>
@@ -90507,7 +91229,7 @@ Type marked as a view object type.
 </summary>
 </param>
 </interface>
-<interface name="postgresql_procedure_object" lineno="252">
+<interface name="postgresql_procedure_object" lineno="250">
 <summary>
 Marks as a SE-PostgreSQL procedure object type
 </summary>
@@ -90517,7 +91239,7 @@ Type marked as a procedure object type.
 </summary>
 </param>
 </interface>
-<interface name="postgresql_trusted_procedure_object" lineno="270">
+<interface name="postgresql_trusted_procedure_object" lineno="268">
 <summary>
 Marks as a SE-PostgreSQL trusted procedure object type
 </summary>
@@ -90527,7 +91249,7 @@ Type marked as a trusted procedure object type.
 </summary>
 </param>
 </interface>
-<interface name="postgresql_language_object" lineno="290">
+<interface name="postgresql_language_object" lineno="288">
 <summary>
 Marks as a SE-PostgreSQL procedural language object type
 </summary>
@@ -90537,7 +91259,7 @@ Type marked as a procedural language object type.
 </summary>
 </param>
 </interface>
-<interface name="postgresql_blob_object" lineno="308">
+<interface name="postgresql_blob_object" lineno="306">
 <summary>
 Marks as a SE-PostgreSQL binary large object type
 </summary>
@@ -90547,7 +91269,7 @@ Type marked as a database binary large object type.
 </summary>
 </param>
 </interface>
-<interface name="postgresql_search_db" lineno="326">
+<interface name="postgresql_search_db" lineno="324">
 <summary>
 Allow the specified domain to search postgresql's database directory.
 </summary>
@@ -90557,7 +91279,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="postgresql_manage_db" lineno="343">
+<interface name="postgresql_manage_db" lineno="341">
 <summary>
 Allow the specified domain to manage postgresql's database.
 </summary>
@@ -90567,7 +91289,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="postgresql_exec" lineno="363">
+<interface name="postgresql_exec" lineno="361">
 <summary>
 Execute postgresql in the calling domain.
 </summary>
@@ -90577,7 +91299,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="postgresql_domtrans" lineno="381">
+<interface name="postgresql_domtrans" lineno="379">
 <summary>
 Execute postgresql in the postgresql domain.
 </summary>
@@ -90587,7 +91309,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="postgresql_signal" lineno="399">
+<interface name="postgresql_signal" lineno="397">
 <summary>
 Allow domain to signal postgresql
 </summary>
@@ -90597,7 +91319,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="postgresql_read_config" lineno="417">
+<interface name="postgresql_read_config" lineno="415">
 <summary>
 Allow the specified domain to read postgresql's etc.
 </summary>
@@ -90608,7 +91330,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="postgresql_tcp_connect" lineno="438">
+<interface name="postgresql_tcp_connect" lineno="436">
 <summary>
 Allow the specified domain to connect to postgresql with a tcp socket.
 </summary>
@@ -90618,7 +91340,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="postgresql_stream_connect" lineno="459">
+<interface name="postgresql_stream_connect" lineno="457">
 <summary>
 Allow the specified domain to connect to postgresql with a unix socket.
 </summary>
@@ -90629,7 +91351,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="postgresql_unpriv_client" lineno="481">
+<interface name="postgresql_unpriv_client" lineno="479">
 <summary>
 Allow the specified domain unprivileged accesses to unifined database objects
 managed by SE-PostgreSQL,
@@ -90640,7 +91362,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="postgresql_unconfined" lineno="573">
+<interface name="postgresql_unconfined" lineno="569">
 <summary>
 Allow the specified domain unconfined accesses to any database objects
 managed by SE-PostgreSQL,
@@ -90651,7 +91373,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="postgresql_admin" lineno="597">
+<interface name="postgresql_admin" lineno="593">
 <summary>
 All of the rules required to administrate an postgresql environment
 </summary>
@@ -92290,7 +93012,17 @@ Domain prefix to be used.
 </summary>
 </param>
 </template>
-<interface name="rpc_dontaudit_getattr_exports" lineno="64">
+<interface name="rpc_list_exports" lineno="63">
+<summary>
+List export files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpc_dontaudit_getattr_exports" lineno="82">
 <summary>
 Do not audit attempts to get
 attributes of export files.
@@ -92301,7 +93033,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="rpc_read_exports" lineno="82">
+<interface name="rpc_read_exports" lineno="100">
 <summary>
 Read export files.
 </summary>
@@ -92311,7 +93043,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="rpc_write_exports" lineno="100">
+<interface name="rpc_create_exports" lineno="118">
+<summary>
+Create export files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpc_write_exports" lineno="136">
 <summary>
 Write export files.
 </summary>
@@ -92321,7 +93063,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="rpc_domtrans_nfsd" lineno="118">
+<interface name="rpc_domtrans_nfsd" lineno="154">
 <summary>
 Execute nfsd in the nfsd domain.
 </summary>
@@ -92331,7 +93073,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="rpc_initrc_domtrans_nfsd" lineno="138">
+<interface name="rpc_initrc_domtrans_nfsd" lineno="174">
 <summary>
 Execute nfsd init scripts in
 the initrc domain.
@@ -92342,7 +93084,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="rpc_domtrans_rpcd" lineno="156">
+<interface name="rpc_domtrans_rpcd" lineno="192">
 <summary>
 Execute rpcd in the rpcd domain.
 </summary>
@@ -92352,7 +93094,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="rpc_initrc_domtrans_rpcd" lineno="176">
+<interface name="rpc_initrc_domtrans_rpcd" lineno="212">
 <summary>
 Execute rpcd init scripts in
 the initrc domain.
@@ -92363,7 +93105,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="rpc_read_rpcd_state" lineno="195">
+<interface name="rpc_read_rpcd_state" lineno="231">
 <summary>
 Read the process state (/proc/pid) of
 rpcd.
@@ -92374,7 +93116,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="rpc_use_nfsd_fds" lineno="214">
+<interface name="rpc_use_nfsd_fds" lineno="250">
 <summary>
 Inherit and use file descriptors from
 nfsd.
@@ -92385,7 +93127,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="rpc_read_nfs_content" lineno="233">
+<interface name="rpc_read_nfs_content" lineno="269">
 <summary>
 Read nfs exported content.
 </summary>
@@ -92396,7 +93138,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="rpc_manage_nfs_rw_content" lineno="255">
+<interface name="rpc_manage_nfs_rw_content" lineno="291">
 <summary>
 Create, read, write, and delete
 nfs exported read write content.
@@ -92408,7 +93150,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="rpc_manage_nfs_ro_content" lineno="277">
+<interface name="rpc_manage_nfs_ro_content" lineno="313">
 <summary>
 Create, read, write, and delete
 nfs exported read only content.
@@ -92420,7 +93162,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="rpc_tcp_rw_nfs_sockets" lineno="297">
+<interface name="rpc_tcp_rw_nfs_sockets" lineno="333">
 <summary>
 Read and write to nfsd tcp sockets.
 </summary>
@@ -92430,7 +93172,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="rpc_udp_rw_nfs_sockets" lineno="315">
+<interface name="rpc_udp_rw_nfs_sockets" lineno="351">
 <summary>
 Read and write to nfsd udp sockets.
 </summary>
@@ -92440,7 +93182,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="rpc_search_nfs_state_data" lineno="333">
+<interface name="rpc_search_nfs_state_data" lineno="369">
 <summary>
 Search nfs lib directories.
 </summary>
@@ -92450,7 +93192,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="rpc_create_nfs_state_data_dirs" lineno="352">
+<interface name="rpc_create_nfs_state_data_dirs" lineno="388">
 <summary>
 Create nfs lib directories.
 </summary>
@@ -92460,7 +93202,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="rpc_read_nfs_state_data" lineno="371">
+<interface name="rpc_read_nfs_state_data" lineno="407">
 <summary>
 Read nfs lib files.
 </summary>
@@ -92470,7 +93212,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="rpc_manage_nfs_state_data" lineno="391">
+<interface name="rpc_manage_nfs_state_data" lineno="427">
 <summary>
 Create, read, write, and delete
 nfs lib files.
@@ -92481,7 +93223,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="rpc_admin" lineno="421">
+<interface name="rpc_admin" lineno="457">
 <summary>
 All of the rules required to
 administrate an rpc environment.
@@ -94843,7 +95585,7 @@ Role allowed access
 </summary>
 </param>
 </template>
-<interface name="ssh_sigchld" lineno="488">
+<interface name="ssh_sigchld" lineno="494">
 <summary>
 Send a SIGCHLD signal to the ssh server.
 </summary>
@@ -94853,7 +95595,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_signal" lineno="506">
+<interface name="ssh_signal" lineno="512">
 <summary>
 Send a generic signal to the ssh server.
 </summary>
@@ -94863,7 +95605,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_signull" lineno="524">
+<interface name="ssh_signull" lineno="530">
 <summary>
 Send a null signal to sshd processes.
 </summary>
@@ -94873,7 +95615,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_read_pipes" lineno="542">
+<interface name="ssh_read_pipes" lineno="548">
 <summary>
 Read a ssh server unnamed pipe.
 </summary>
@@ -94883,7 +95625,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_rw_pipes" lineno="559">
+<interface name="ssh_rw_pipes" lineno="565">
 <summary>
 Read and write a ssh server unnamed pipe.
 </summary>
@@ -94893,7 +95635,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_rw_stream_sockets" lineno="577">
+<interface name="ssh_rw_stream_sockets" lineno="583">
 <summary>
 Read and write ssh server unix domain stream sockets.
 </summary>
@@ -94903,7 +95645,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_rw_tcp_sockets" lineno="595">
+<interface name="ssh_rw_tcp_sockets" lineno="601">
 <summary>
 Read and write ssh server TCP sockets.
 </summary>
@@ -94913,7 +95655,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_dontaudit_rw_tcp_sockets" lineno="614">
+<interface name="ssh_dontaudit_rw_tcp_sockets" lineno="620">
 <summary>
 Do not audit attempts to read and write
 ssh server TCP sockets.
@@ -94924,7 +95666,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="ssh_exec_sshd" lineno="632">
+<interface name="ssh_exec_sshd" lineno="638">
 <summary>
 Execute the ssh daemon in the caller domain.
 </summary>
@@ -94934,7 +95676,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_domtrans" lineno="651">
+<interface name="ssh_domtrans" lineno="657">
 <summary>
 Execute the ssh daemon sshd domain.
 </summary>
@@ -94944,7 +95686,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="ssh_client_domtrans" lineno="669">
+<interface name="ssh_client_domtrans" lineno="675">
 <summary>
 Execute the ssh client in the ssh client domain.
 </summary>
@@ -94954,7 +95696,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="ssh_exec" lineno="687">
+<interface name="ssh_exec" lineno="693">
 <summary>
 Execute the ssh client in the caller domain.
 </summary>
@@ -94964,7 +95706,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_setattr_key_files" lineno="706">
+<interface name="ssh_setattr_key_files" lineno="712">
 <summary>
 Set the attributes of sshd key files.
 </summary>
@@ -94974,7 +95716,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_agent_exec" lineno="725">
+<interface name="ssh_agent_exec" lineno="731">
 <summary>
 Execute the ssh agent client in the caller domain.
 </summary>
@@ -94984,7 +95726,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_setattr_home_dirs" lineno="744">
+<interface name="ssh_setattr_home_dirs" lineno="750">
 <summary>
 Set the attributes of ssh home directory (~/.ssh)
 </summary>
@@ -94994,7 +95736,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_create_home_dirs" lineno="762">
+<interface name="ssh_create_home_dirs" lineno="768">
 <summary>
 Create ssh home directory (~/.ssh)
 </summary>
@@ -95004,7 +95746,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_read_user_home_files" lineno="781">
+<interface name="ssh_read_user_home_files" lineno="787">
 <summary>
 Read ssh home directory content
 </summary>
@@ -95014,7 +95756,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_domtrans_keygen" lineno="802">
+<interface name="ssh_domtrans_keygen" lineno="808">
 <summary>
 Execute the ssh key generator in the ssh keygen domain.
 </summary>
@@ -95024,7 +95766,23 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="ssh_read_server_keys" lineno="820">
+<interface name="ssh_run_keygen" lineno="832">
+<summary>
+Execute the ssh key generator in the ssh keygen domain,
+and allow the specified	role the ssh keygen domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ssh_read_server_keys" lineno="851">
 <summary>
 Read ssh server keys
 </summary>
@@ -95034,7 +95792,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_dontaudit_read_server_keys" lineno="838">
+<interface name="ssh_dontaudit_read_server_keys" lineno="869">
 <summary>
 Do not audit denials on reading ssh server keys
 </summary>
@@ -95044,7 +95802,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="ssh_manage_home_files" lineno="856">
+<interface name="ssh_manage_home_files" lineno="887">
 <summary>
 Manage ssh home directory content
 </summary>
@@ -95054,7 +95812,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_delete_tmp" lineno="875">
+<interface name="ssh_delete_tmp" lineno="906">
 <summary>
 Delete from the ssh temp files.
 </summary>
@@ -95064,7 +95822,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_dontaudit_agent_tmp" lineno="894">
+<interface name="ssh_dontaudit_agent_tmp" lineno="925">
 <summary>
 dontaudit access to ssh agent tmp dirs
 </summary>
@@ -98946,7 +99704,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_use_pam_motd_dynamic" lineno="121">
+<interface name="auth_use_pam_motd_dynamic" lineno="122">
 <summary>
 Use the pam module motd with dynamic support during authentication.
 This module comes from Ubuntu (https://bugs.launchpad.net/ubuntu/+source/pam/+bug/399071)
@@ -98958,7 +99716,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_read_pam_motd_dynamic" lineno="146">
+<interface name="auth_read_pam_motd_dynamic" lineno="147">
 <summary>
 Read the pam module motd with dynamic support during authentication.
 </summary>
@@ -98968,7 +99726,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_login_pgm_domain" lineno="165">
+<interface name="auth_login_pgm_domain" lineno="166">
 <summary>
 Make the specified domain used for a login program.
 </summary>
@@ -98978,7 +99736,7 @@ Domain type used for a login program domain.
 </summary>
 </param>
 </interface>
-<interface name="auth_login_entry_type" lineno="252">
+<interface name="auth_login_entry_type" lineno="253">
 <summary>
 Use the login program as an entry point program.
 </summary>
@@ -98988,7 +99746,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_domtrans_login_program" lineno="275">
+<interface name="auth_domtrans_login_program" lineno="276">
 <summary>
 Execute a login_program in the target domain.
 </summary>
@@ -99003,7 +99761,7 @@ The type of the login_program process.
 </summary>
 </param>
 </interface>
-<interface name="auth_ranged_domtrans_login_program" lineno="305">
+<interface name="auth_ranged_domtrans_login_program" lineno="306">
 <summary>
 Execute a login_program in the target domain,
 with a range transition.
@@ -99024,7 +99782,7 @@ Range of the login program.
 </summary>
 </param>
 </interface>
-<interface name="auth_search_cache" lineno="331">
+<interface name="auth_search_cache" lineno="332">
 <summary>
 Search authentication cache
 </summary>
@@ -99034,7 +99792,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_read_cache" lineno="349">
+<interface name="auth_read_cache" lineno="350">
 <summary>
 Read authentication cache
 </summary>
@@ -99044,7 +99802,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_rw_cache" lineno="367">
+<interface name="auth_rw_cache" lineno="368">
 <summary>
 Read/Write authentication cache
 </summary>
@@ -99054,7 +99812,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_cache" lineno="385">
+<interface name="auth_manage_cache" lineno="386">
 <summary>
 Manage authentication cache
 </summary>
@@ -99064,7 +99822,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_var_filetrans_cache" lineno="404">
+<interface name="auth_var_filetrans_cache" lineno="405">
 <summary>
 Automatic transition from cache_t to cache.
 </summary>
@@ -99074,7 +99832,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_domtrans_chk_passwd" lineno="422">
+<interface name="auth_domtrans_chk_passwd" lineno="423">
 <summary>
 Run unix_chkpwd to check a password.
 </summary>
@@ -99084,7 +99842,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="auth_domtrans_chkpwd" lineno="466">
+<interface name="auth_domtrans_chkpwd" lineno="467">
 <summary>
 Run unix_chkpwd to check a password.
 Stripped down version to be called within boolean
@@ -99095,7 +99853,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="auth_run_chk_passwd" lineno="488">
+<interface name="auth_run_chk_passwd" lineno="489">
 <summary>
 Execute chkpwd programs in the chkpwd domain.
 </summary>
@@ -99110,7 +99868,7 @@ The role to allow the chkpwd domain.
 </summary>
 </param>
 </interface>
-<interface name="auth_domtrans_upd_passwd" lineno="507">
+<interface name="auth_domtrans_upd_passwd" lineno="508">
 <summary>
 Execute a domain transition to run unix_update.
 </summary>
@@ -99120,7 +99878,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="auth_run_upd_passwd" lineno="532">
+<interface name="auth_run_upd_passwd" lineno="533">
 <summary>
 Execute updpwd programs in the updpwd domain.
 </summary>
@@ -99135,7 +99893,7 @@ The role to allow the updpwd domain.
 </summary>
 </param>
 </interface>
-<interface name="auth_getattr_shadow" lineno="551">
+<interface name="auth_getattr_shadow" lineno="552">
 <summary>
 Get the attributes of the shadow passwords file.
 </summary>
@@ -99145,7 +99903,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_dontaudit_getattr_shadow" lineno="571">
+<interface name="auth_dontaudit_getattr_shadow" lineno="572">
 <summary>
 Do not audit attempts to get the attributes
 of the shadow passwords file.
@@ -99156,7 +99914,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="auth_read_shadow" lineno="593">
+<interface name="auth_read_shadow" lineno="594">
 <summary>
 Read the shadow passwords file (/etc/shadow)
 </summary>
@@ -99166,7 +99924,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_map_shadow" lineno="609">
+<interface name="auth_map_shadow" lineno="610">
 <summary>
 Map the shadow passwords file (/etc/shadow)
 </summary>
@@ -99176,7 +99934,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_can_read_shadow_passwords" lineno="635">
+<interface name="auth_can_read_shadow_passwords" lineno="636">
 <summary>
 Pass shadow assertion for reading.
 </summary>
@@ -99195,7 +99953,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_tunable_read_shadow" lineno="661">
+<interface name="auth_tunable_read_shadow" lineno="662">
 <summary>
 Read the shadow password file.
 </summary>
@@ -99213,7 +99971,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_dontaudit_read_shadow" lineno="681">
+<interface name="auth_dontaudit_read_shadow" lineno="682">
 <summary>
 Do not audit attempts to read the shadow
 password file (/etc/shadow).
@@ -99224,7 +99982,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="auth_rw_shadow" lineno="699">
+<interface name="auth_rw_shadow" lineno="700">
 <summary>
 Read and write the shadow password file (/etc/shadow).
 </summary>
@@ -99234,7 +99992,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_shadow" lineno="722">
+<interface name="auth_manage_shadow" lineno="723">
 <summary>
 Create, read, write, and delete the shadow
 password file.
@@ -99245,7 +100003,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_etc_filetrans_shadow" lineno="749">
+<interface name="auth_etc_filetrans_shadow" lineno="751">
 <summary>
 Automatic transition from etc to shadow.
 </summary>
@@ -99260,7 +100018,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="auth_read_shadow_history" lineno="767">
+<interface name="auth_read_shadow_history" lineno="769">
 <summary>
 Read the shadow history file.
 </summary>
@@ -99270,7 +100028,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_shadow_history" lineno="786">
+<interface name="auth_manage_shadow_history" lineno="788">
 <summary>
 Manage the shadow history file.
 </summary>
@@ -99280,7 +100038,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_relabelto_shadow" lineno="806">
+<interface name="auth_relabelto_shadow" lineno="808">
 <summary>
 Relabel to the shadow
 password file type.
@@ -99291,7 +100049,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_relabel_shadow" lineno="828">
+<interface name="auth_relabel_shadow" lineno="830">
 <summary>
 Relabel from and to the shadow
 password file type.
@@ -99302,7 +100060,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_rw_shadow_lock" lineno="849">
+<interface name="auth_rw_shadow_lock" lineno="851">
 <summary>
 Read/Write shadow lock files.
 </summary>
@@ -99312,7 +100070,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_append_faillog" lineno="867">
+<interface name="auth_append_faillog" lineno="869">
 <summary>
 Append to the login failure log.
 </summary>
@@ -99322,7 +100080,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_create_faillog_files" lineno="886">
+<interface name="auth_create_faillog_files" lineno="888">
 <summary>
 Create fail log lock (in /run/faillock).
 </summary>
@@ -99332,7 +100090,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_rw_faillog" lineno="904">
+<interface name="auth_rw_faillog" lineno="906">
 <summary>
 Read and write the login failure log.
 </summary>
@@ -99342,7 +100100,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_faillog" lineno="923">
+<interface name="auth_manage_faillog" lineno="925">
 <summary>
 Manage the login failure logs.
 </summary>
@@ -99352,7 +100110,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_setattr_faillog_files" lineno="942">
+<interface name="auth_setattr_faillog_files" lineno="944">
 <summary>
 Setattr the login failure logs.
 </summary>
@@ -99362,7 +100120,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_read_lastlog" lineno="961">
+<interface name="auth_read_lastlog" lineno="963">
 <summary>
 Read the last logins log.
 </summary>
@@ -99373,7 +100131,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="auth_append_lastlog" lineno="980">
+<interface name="auth_append_lastlog" lineno="982">
 <summary>
 Append only to the last logins log.
 </summary>
@@ -99383,7 +100141,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_relabel_lastlog" lineno="999">
+<interface name="auth_relabel_lastlog" lineno="1001">
 <summary>
 relabel the last logins log.
 </summary>
@@ -99393,7 +100151,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_rw_lastlog" lineno="1018">
+<interface name="auth_rw_lastlog" lineno="1020">
 <summary>
 Read and write to the last logins log.
 </summary>
@@ -99403,7 +100161,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_lastlog" lineno="1037">
+<interface name="auth_manage_lastlog" lineno="1039">
 <summary>
 Manage the last logins log.
 </summary>
@@ -99413,7 +100171,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_domtrans_pam" lineno="1056">
+<interface name="auth_domtrans_pam" lineno="1058">
 <summary>
 Execute pam programs in the pam domain.
 </summary>
@@ -99423,7 +100181,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="auth_signal_pam" lineno="1074">
+<interface name="auth_signal_pam" lineno="1076">
 <summary>
 Send generic signals to pam processes.
 </summary>
@@ -99433,7 +100191,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_run_pam" lineno="1097">
+<interface name="auth_run_pam" lineno="1099">
 <summary>
 Execute pam programs in the PAM domain.
 </summary>
@@ -99448,7 +100206,7 @@ The role to allow the PAM domain.
 </summary>
 </param>
 </interface>
-<interface name="auth_exec_pam" lineno="1116">
+<interface name="auth_exec_pam" lineno="1118">
 <summary>
 Execute the pam program.
 </summary>
@@ -99458,7 +100216,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_read_var_auth" lineno="1135">
+<interface name="auth_read_var_auth" lineno="1137">
 <summary>
 Read var auth files. Used by various other applications
 and pam applets etc.
@@ -99469,7 +100227,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_rw_var_auth" lineno="1155">
+<interface name="auth_rw_var_auth" lineno="1157">
 <summary>
 Read and write var auth files. Used by various other applications
 and pam applets etc.
@@ -99480,7 +100238,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_var_auth" lineno="1175">
+<interface name="auth_manage_var_auth" lineno="1177">
 <summary>
 Manage var auth files. Used by various other applications
 and pam applets etc.
@@ -99491,7 +100249,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_pam_runtime_dirs" lineno="1196">
+<interface name="auth_manage_pam_runtime_dirs" lineno="1198">
 <summary>
 Manage pam runtime dirs.
 </summary>
@@ -99501,7 +100259,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_runtime_filetrans_pam_runtime" lineno="1227">
+<interface name="auth_runtime_filetrans_pam_runtime" lineno="1229">
 <summary>
 Create specified objects in
 pid directories with the pam runtime
@@ -99523,7 +100281,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="auth_read_pam_runtime_files" lineno="1245">
+<interface name="auth_read_pam_runtime_files" lineno="1247">
 <summary>
 Read PAM runtime files.
 </summary>
@@ -99533,7 +100291,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_dontaudit_read_pam_runtime_files" lineno="1265">
+<interface name="auth_dontaudit_read_pam_runtime_files" lineno="1267">
 <summary>
 Do not audit attempts to read PAM runtime files.
 </summary>
@@ -99543,7 +100301,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="auth_delete_pam_runtime_files" lineno="1283">
+<interface name="auth_delete_pam_runtime_files" lineno="1285">
 <summary>
 Delete pam runtime files.
 </summary>
@@ -99553,7 +100311,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_pam_runtime_files" lineno="1302">
+<interface name="auth_manage_pam_runtime_files" lineno="1304">
 <summary>
 Create, read, write, and delete pam runtime files.
 </summary>
@@ -99563,7 +100321,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_domtrans_pam_console" lineno="1321">
+<interface name="auth_domtrans_pam_console" lineno="1323">
 <summary>
 Execute pam_console with a domain transition.
 </summary>
@@ -99573,7 +100331,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="auth_search_pam_console_data" lineno="1340">
+<interface name="auth_search_pam_console_data" lineno="1342">
 <summary>
 Search the contents of the
 pam_console data directory.
@@ -99584,7 +100342,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_list_pam_console_data" lineno="1360">
+<interface name="auth_list_pam_console_data" lineno="1362">
 <summary>
 List the contents of the pam_console
 data directory.
@@ -99595,7 +100353,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_create_pam_console_data_dirs" lineno="1379">
+<interface name="auth_create_pam_console_data_dirs" lineno="1381">
 <summary>
 Create pam var console pid directories.
 </summary>
@@ -99605,7 +100363,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_relabel_pam_console_data_dirs" lineno="1398">
+<interface name="auth_relabel_pam_console_data_dirs" lineno="1400">
 <summary>
 Relabel pam_console data directories.
 </summary>
@@ -99615,7 +100373,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_read_pam_console_data" lineno="1416">
+<interface name="auth_read_pam_console_data" lineno="1418">
 <summary>
 Read pam_console data files.
 </summary>
@@ -99625,7 +100383,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_pam_console_data" lineno="1437">
+<interface name="auth_manage_pam_console_data" lineno="1439">
 <summary>
 Create, read, write, and delete
 pam_console data files.
@@ -99636,7 +100394,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_delete_pam_console_data" lineno="1457">
+<interface name="auth_delete_pam_console_data" lineno="1459">
 <summary>
 Delete pam_console data.
 </summary>
@@ -99646,7 +100404,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_runtime_filetrans_pam_var_console" lineno="1490">
+<interface name="auth_runtime_filetrans_pam_var_console" lineno="1492">
 <summary>
 Create specified objects in generic
 runtime directories with the pam var
@@ -99669,7 +100427,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="auth_domtrans_utempter" lineno="1508">
+<interface name="auth_domtrans_utempter" lineno="1510">
 <summary>
 Execute utempter programs in the utempter domain.
 </summary>
@@ -99679,7 +100437,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="auth_run_utempter" lineno="1531">
+<interface name="auth_run_utempter" lineno="1533">
 <summary>
 Execute utempter programs in the utempter domain.
 </summary>
@@ -99694,7 +100452,7 @@ The role to allow the utempter domain.
 </summary>
 </param>
 </interface>
-<interface name="auth_dontaudit_exec_utempter" lineno="1550">
+<interface name="auth_dontaudit_exec_utempter" lineno="1552">
 <summary>
 Do not audit attempts to execute utempter executable.
 </summary>
@@ -99704,7 +100462,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="auth_setattr_login_records" lineno="1568">
+<interface name="auth_setattr_login_records" lineno="1570">
 <summary>
 Set the attributes of login record files.
 </summary>
@@ -99714,7 +100472,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_read_login_records" lineno="1588">
+<interface name="auth_read_login_records" lineno="1590">
 <summary>
 Read login records files (/var/log/wtmp).
 </summary>
@@ -99725,7 +100483,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="auth_dontaudit_read_login_records" lineno="1609">
+<interface name="auth_dontaudit_read_login_records" lineno="1611">
 <summary>
 Do not audit attempts to read login records
 files (/var/log/wtmp).
@@ -99737,7 +100495,7 @@ Domain to not audit.
 </param>
 <rolecap/>
 </interface>
-<interface name="auth_dontaudit_write_login_records" lineno="1628">
+<interface name="auth_dontaudit_write_login_records" lineno="1630">
 <summary>
 Do not audit attempts to write to
 login records files.
@@ -99748,7 +100506,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="auth_append_login_records" lineno="1646">
+<interface name="auth_append_login_records" lineno="1648">
 <summary>
 Append to login records (wtmp).
 </summary>
@@ -99758,7 +100516,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_write_login_records" lineno="1665">
+<interface name="auth_write_login_records" lineno="1667">
 <summary>
 Write to login records (wtmp).
 </summary>
@@ -99768,7 +100526,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_rw_login_records" lineno="1683">
+<interface name="auth_rw_login_records" lineno="1685">
 <summary>
 Read and write login records.
 </summary>
@@ -99778,7 +100536,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_log_filetrans_login_records" lineno="1703">
+<interface name="auth_log_filetrans_login_records" lineno="1705">
 <summary>
 Create a login records in the log directory
 using a type transition.
@@ -99789,7 +100547,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_login_records" lineno="1722">
+<interface name="auth_manage_login_records" lineno="1724">
 <summary>
 Create, read, write, and delete login
 records files.
@@ -99800,7 +100558,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_relabel_login_records" lineno="1741">
+<interface name="auth_relabel_login_records" lineno="1743">
 <summary>
 Relabel login record files.
 </summary>
@@ -99810,7 +100568,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_use_nsswitch" lineno="1769">
+<interface name="auth_use_nsswitch" lineno="1771">
 <summary>
 Use nsswitch to look up user, password, group, or
 host information.
@@ -99830,7 +100588,7 @@ Domain allowed access.
 </param>
 <infoflow type="both" weight="10"/>
 </interface>
-<interface name="auth_unconfined" lineno="1797">
+<interface name="auth_unconfined" lineno="1799">
 <summary>
 Unconfined access to the authlogin module.
 </summary>
@@ -100551,7 +101309,7 @@ Type of the program to be used as an entry point to this domain.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="init_ranged_daemon_domain" lineno="433">
+<interface name="init_ranged_daemon_domain" lineno="437">
 <summary>
 Create a domain for long running processes
 (daemons/services) which are started by init scripts,
@@ -100593,7 +101351,7 @@ MLS/MCS range for the domain.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="init_abstract_socket_activation" lineno="464">
+<interface name="init_abstract_socket_activation" lineno="468">
 <summary>
 Abstract socket service activation (systemd).
 </summary>
@@ -100603,7 +101361,7 @@ The domain to be started by systemd socket activation.
 </summary>
 </param>
 </interface>
-<interface name="init_named_socket_activation" lineno="489">
+<interface name="init_named_socket_activation" lineno="493">
 <summary>
 Named socket service activation (systemd).
 </summary>
@@ -100618,7 +101376,7 @@ The domain socket file type.
 </summary>
 </param>
 </interface>
-<interface name="init_system_domain" lineno="540">
+<interface name="init_system_domain" lineno="544">
 <summary>
 Create a domain for short running processes
 which are started by init scripts.
@@ -100655,7 +101413,7 @@ Type of the program to be used as an entry point to this domain.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="init_ranged_system_domain" lineno="602">
+<interface name="init_ranged_system_domain" lineno="608">
 <summary>
 Create a domain for short running processes
 which are started by init scripts.
@@ -100698,7 +101456,7 @@ Range for the domain.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="init_dyntrans" lineno="633">
+<interface name="init_dyntrans" lineno="639">
 <summary>
 Allow domain dyntransition to init_t domain.
 </summary>
@@ -100708,7 +101466,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="init_daemon_runtime_file" lineno="662">
+<interface name="init_daemon_runtime_file" lineno="668">
 <summary>
 Mark the file type as a daemon runtime file, allowing initrc_t
 to create it
@@ -100729,7 +101487,7 @@ Filename of the file that the init script creates
 </summary>
 </param>
 </interface>
-<interface name="init_daemon_lock_file" lineno="695">
+<interface name="init_daemon_lock_file" lineno="701">
 <summary>
 Mark the file type as a daemon lock file, allowing initrc_t
 to create it
@@ -100750,7 +101508,7 @@ Filename of the file that the init script creates
 </summary>
 </param>
 </interface>
-<interface name="init_domtrans" lineno="717">
+<interface name="init_domtrans" lineno="723">
 <summary>
 Execute init (/sbin/init) with a domain transition.
 </summary>
@@ -100760,7 +101518,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="init_pgm_spec_user_daemon_domain" lineno="741">
+<interface name="init_pgm_spec_user_daemon_domain" lineno="747">
 <summary>
 Execute init (/sbin/init) with a domain transition
 to the provided domain.
@@ -100776,7 +101534,7 @@ The type to be used as a systemd --user domain.
 </summary>
 </param>
 </interface>
-<interface name="init_exec" lineno="769">
+<interface name="init_exec" lineno="775">
 <summary>
 Execute the init program in the caller domain.
 </summary>
@@ -100787,7 +101545,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="init_pgm_entrypoint" lineno="790">
+<interface name="init_pgm_entrypoint" lineno="796">
 <summary>
 Allow the init program to be an entrypoint
 for the specified domain.
@@ -100799,7 +101557,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="init_exec_rc" lineno="819">
+<interface name="init_exec_rc" lineno="825">
 <summary>
 Execute the rc application in the caller domain.
 </summary>
@@ -100820,7 +101578,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_getpgid" lineno="838">
+<interface name="init_getpgid" lineno="844">
 <summary>
 Get the process group of init.
 </summary>
@@ -100830,7 +101588,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_signal" lineno="856">
+<interface name="init_signal" lineno="862">
 <summary>
 Send init a generic signal.
 </summary>
@@ -100840,7 +101598,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_signull" lineno="874">
+<interface name="init_signull" lineno="880">
 <summary>
 Send init a null signal.
 </summary>
@@ -100850,7 +101608,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_sigchld" lineno="892">
+<interface name="init_sigchld" lineno="898">
 <summary>
 Send init a SIGCHLD signal.
 </summary>
@@ -100860,7 +101618,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_setsched" lineno="910">
+<interface name="init_setsched" lineno="916">
 <summary>
 Set the nice level of init.
 </summary>
@@ -100870,7 +101628,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_write_mountpoint_files" lineno="934">
+<interface name="init_write_mountpoint_files" lineno="940">
 <summary>
 Write systemd mountpoint files.
 </summary>
@@ -100886,7 +101644,7 @@ must be negated by the caller.
 </summary>
 </param>
 </interface>
-<interface name="init_create_mountpoint_files" lineno="958">
+<interface name="init_create_mountpoint_files" lineno="964">
 <summary>
 Create systemd mountpoint files.
 </summary>
@@ -100902,7 +101660,7 @@ must be negated by the caller.
 </summary>
 </param>
 </interface>
-<interface name="init_stream_connect" lineno="976">
+<interface name="init_stream_connect" lineno="982">
 <summary>
 Connect to init with a unix socket.
 </summary>
@@ -100912,7 +101670,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_unix_stream_socket_connectto" lineno="997">
+<interface name="init_unix_stream_socket_connectto" lineno="1003">
 <summary>
 Connect to init with a unix socket.
 Without any additional permissions.
@@ -100923,7 +101681,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_unix_stream_socket_sendto" lineno="1016">
+<interface name="init_unix_stream_socket_sendto" lineno="1022">
 <summary>
 Send to init with a unix socket.
 Without any additional permissions.
@@ -100934,7 +101692,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_use_fds" lineno="1074">
+<interface name="init_use_fds" lineno="1080">
 <summary>
 Inherit and use file descriptors from init.
 </summary>
@@ -100984,7 +101742,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="1"/>
 </interface>
-<interface name="init_dontaudit_use_fds" lineno="1093">
+<interface name="init_dontaudit_use_fds" lineno="1099">
 <summary>
 Do not audit attempts to inherit file
 descriptors from init.
@@ -100995,7 +101753,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_dgram_send" lineno="1112">
+<interface name="init_dgram_send" lineno="1118">
 <summary>
 Send messages to init unix datagram sockets.
 </summary>
@@ -101006,7 +101764,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="init_rw_inherited_stream_socket" lineno="1132">
+<interface name="init_rw_inherited_stream_socket" lineno="1138">
 <summary>
 Read and write to inherited init unix streams.
 </summary>
@@ -101016,7 +101774,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_rw_stream_sockets" lineno="1151">
+<interface name="init_rw_stream_sockets" lineno="1157">
 <summary>
 Allow the specified domain to read/write to
 init with unix domain stream sockets.
@@ -101027,7 +101785,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_search_keys" lineno="1169">
+<interface name="init_dontaudit_search_keys" lineno="1175">
 <summary>
 Do not audit attempts to search init keys.
 </summary>
@@ -101037,7 +101795,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_start_system" lineno="1187">
+<interface name="init_start_system" lineno="1193">
 <summary>
 start service (systemd).
 </summary>
@@ -101047,7 +101805,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_stop_system" lineno="1205">
+<interface name="init_stop_system" lineno="1212">
 <summary>
 stop service (systemd).
 </summary>
@@ -101057,7 +101815,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_get_system_status" lineno="1223">
+<interface name="init_get_system_status" lineno="1231">
 <summary>
 Get all service status (systemd).
 </summary>
@@ -101067,7 +101825,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_enable" lineno="1241">
+<interface name="init_enable" lineno="1250">
 <summary>
 Enable all systemd services (systemd).
 </summary>
@@ -101077,7 +101835,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_disable" lineno="1259">
+<interface name="init_disable" lineno="1269">
 <summary>
 Disable all services (systemd).
 </summary>
@@ -101087,7 +101845,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_reload" lineno="1277">
+<interface name="init_reload" lineno="1288">
 <summary>
 Reload all services (systemd).
 </summary>
@@ -101097,7 +101855,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_reboot_system" lineno="1295">
+<interface name="init_reboot_system" lineno="1307">
 <summary>
 Reboot the system (systemd).
 </summary>
@@ -101107,7 +101865,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_shutdown_system" lineno="1313">
+<interface name="init_shutdown_system" lineno="1326">
 <summary>
 Shutdown (halt) the system (systemd).
 </summary>
@@ -101117,7 +101875,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_service_status" lineno="1331">
+<interface name="init_service_status" lineno="1345">
 <summary>
 Allow specified domain to get init status
 </summary>
@@ -101127,7 +101885,7 @@ Domain to allow access.
 </summary>
 </param>
 </interface>
-<interface name="init_service_start" lineno="1350">
+<interface name="init_service_start" lineno="1364">
 <summary>
 Allow specified domain to get init start
 </summary>
@@ -101137,7 +101895,7 @@ Domain to allow access.
 </summary>
 </param>
 </interface>
-<interface name="init_dbus_chat" lineno="1370">
+<interface name="init_dbus_chat" lineno="1384">
 <summary>
 Send and receive messages from
 systemd over dbus.
@@ -101148,7 +101906,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_run_bpf" lineno="1390">
+<interface name="init_run_bpf" lineno="1404">
 <summary>
 Run init BPF programs.
 </summary>
@@ -101158,7 +101916,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_var_lib_links" lineno="1409">
+<interface name="init_read_var_lib_links" lineno="1422">
 <summary>
 read/follow symlinks under /var/lib/systemd/
 </summary>
@@ -101168,7 +101926,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_search_var_lib_dirs" lineno="1428">
+<interface name="init_search_var_lib_dirs" lineno="1441">
 <summary>
 Search /var/lib/systemd/ dirs
 </summary>
@@ -101178,7 +101936,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_list_var_lib_dirs" lineno="1447">
+<interface name="init_list_var_lib_dirs" lineno="1460">
 <summary>
 List /var/lib/systemd/ dir
 </summary>
@@ -101188,7 +101946,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_relabel_var_lib_dirs" lineno="1465">
+<interface name="init_relabel_var_lib_dirs" lineno="1478">
 <summary>
 Relabel dirs in /var/lib/systemd/.
 </summary>
@@ -101198,7 +101956,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_manage_random_seed" lineno="1486">
+<interface name="init_manage_random_seed" lineno="1499">
 <summary>
 Create, read, write, and delete the
 pseudorandom number generator seed
@@ -101211,7 +101969,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_manage_var_lib_files" lineno="1507">
+<interface name="init_manage_var_lib_files" lineno="1520">
 <summary>
 Manage files in /var/lib/systemd/.
 </summary>
@@ -101221,7 +101979,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_var_lib_filetrans" lineno="1542">
+<interface name="init_var_lib_filetrans" lineno="1555">
 <summary>
 Create files in /var/lib/systemd
 with an automatic type transition.
@@ -101247,7 +102005,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="init_search_runtime" lineno="1561">
+<interface name="init_search_runtime" lineno="1574">
 <summary>
 Search init runtime directories, e.g. /run/systemd.
 </summary>
@@ -101257,7 +102015,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_list_runtime" lineno="1579">
+<interface name="init_list_runtime" lineno="1592">
 <summary>
 List init runtime directories, e.g. /run/systemd.
 </summary>
@@ -101267,7 +102025,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_manage_runtime_dirs" lineno="1599">
+<interface name="init_manage_runtime_dirs" lineno="1612">
 <summary>
 Create, read, write, and delete
 directories in the /run/systemd directory.
@@ -101278,7 +102036,18 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_runtime_filetrans" lineno="1632">
+<interface name="init_manage_runtime_files" lineno="1631">
+<summary>
+Create, read, write, and delete
+files in the /run/systemd directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_runtime_filetrans" lineno="1664">
 <summary>
 Create files in an init runtime directory with a private type.
 </summary>
@@ -101303,7 +102072,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="init_write_runtime_files" lineno="1651">
+<interface name="init_write_runtime_files" lineno="1683">
 <summary>
 Write init runtime files, e.g. in /run/systemd.
 </summary>
@@ -101313,7 +102082,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_create_runtime_files" lineno="1669">
+<interface name="init_create_runtime_files" lineno="1701">
 <summary>
 Create init runtime files, e.g. in /run/systemd.
 </summary>
@@ -101323,7 +102092,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_manage_runtime_symlinks" lineno="1687">
+<interface name="init_manage_runtime_symlinks" lineno="1719">
 <summary>
 Create init runtime symbolic links, e.g. in /run/systemd.
 </summary>
@@ -101333,7 +102102,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_getattr_initctl" lineno="1705">
+<interface name="init_getattr_initctl" lineno="1737">
 <summary>
 Get the attributes of initctl.
 </summary>
@@ -101343,7 +102112,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_getattr_initctl" lineno="1726">
+<interface name="init_dontaudit_getattr_initctl" lineno="1758">
 <summary>
 Do not audit attempts to get the
 attributes of initctl.
@@ -101354,7 +102123,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_write_initctl" lineno="1744">
+<interface name="init_write_initctl" lineno="1776">
 <summary>
 Write to initctl.
 </summary>
@@ -101364,7 +102133,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_telinit" lineno="1765">
+<interface name="init_telinit" lineno="1797">
 <summary>
 Use telinit (Read and write initctl).
 </summary>
@@ -101375,7 +102144,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="init_rw_initctl" lineno="1798">
+<interface name="init_rw_initctl" lineno="1830">
 <summary>
 Read and write initctl.
 </summary>
@@ -101385,7 +102154,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_rw_initctl" lineno="1819">
+<interface name="init_dontaudit_rw_initctl" lineno="1851">
 <summary>
 Do not audit attempts to read and
 write initctl.
@@ -101396,7 +102165,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_script_file_entry_type" lineno="1838">
+<interface name="init_script_file_entry_type" lineno="1870">
 <summary>
 Make init scripts an entry point for
 the specified domain.
@@ -101407,7 +102176,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_spec_domtrans_script" lineno="1861">
+<interface name="init_spec_domtrans_script" lineno="1893">
 <summary>
 Execute init scripts with a specified domain transition.
 </summary>
@@ -101417,7 +102186,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="init_domtrans_script" lineno="1888">
+<interface name="init_domtrans_script" lineno="1920">
 <summary>
 Execute init scripts with an automatic domain transition.
 </summary>
@@ -101427,7 +102196,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="init_domtrans_labeled_script" lineno="1923">
+<interface name="init_domtrans_labeled_script" lineno="1955">
 <summary>
 Execute labelled init scripts with an automatic domain transition.
 </summary>
@@ -101437,7 +102206,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="init_script_file_domtrans" lineno="1969">
+<interface name="init_script_file_domtrans" lineno="2001">
 <summary>
 Execute a init script in a specified domain.
 </summary>
@@ -101462,7 +102231,7 @@ Domain to transition to.
 </summary>
 </param>
 </interface>
-<interface name="init_kill_scripts" lineno="1988">
+<interface name="init_kill_scripts" lineno="2020">
 <summary>
 Send a kill signal to init scripts.
 </summary>
@@ -101472,7 +102241,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_manage_script_service" lineno="2006">
+<interface name="init_manage_script_service" lineno="2038">
 <summary>
 Allow manage service for initrc_exec_t scripts
 </summary>
@@ -101482,7 +102251,7 @@ Target domain
 </summary>
 </param>
 </interface>
-<interface name="init_labeled_script_domtrans" lineno="2031">
+<interface name="init_labeled_script_domtrans" lineno="2063">
 <summary>
 Transition to the init script domain
 on a specified labeled init script.
@@ -101498,7 +102267,7 @@ Labeled init script file.
 </summary>
 </param>
 </interface>
-<interface name="init_all_labeled_script_domtrans" lineno="2053">
+<interface name="init_all_labeled_script_domtrans" lineno="2085">
 <summary>
 Transition to the init script domain
 for all labeled init script types
@@ -101509,7 +102278,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="init_get_script_status" lineno="2071">
+<interface name="init_get_script_status" lineno="2103">
 <summary>
 Allow getting service status of initrc_exec_t scripts
 </summary>
@@ -101519,7 +102288,7 @@ Target domain
 </summary>
 </param>
 </interface>
-<interface name="init_startstop_service" lineno="2111">
+<interface name="init_startstop_service" lineno="2143">
 <summary>
 Allow the role to start and stop
 labeled services.
@@ -101550,7 +102319,7 @@ Systemd unit file type.
 </summary>
 </param>
 </interface>
-<interface name="init_run_daemon" lineno="2167">
+<interface name="init_run_daemon" lineno="2199">
 <summary>
 Start and stop daemon programs directly.
 </summary>
@@ -101572,7 +102341,7 @@ The role to be performing this action.
 </summary>
 </param>
 </interface>
-<interface name="init_startstop_all_script_services" lineno="2189">
+<interface name="init_startstop_all_script_services" lineno="2221">
 <summary>
 Start and stop init_script_file_type services
 </summary>
@@ -101582,7 +102351,7 @@ domain that can start and stop the services
 </summary>
 </param>
 </interface>
-<interface name="init_read_state" lineno="2208">
+<interface name="init_read_state" lineno="2240">
 <summary>
 Read the process state (/proc/pid) of init.
 </summary>
@@ -101592,7 +102361,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_read_state" lineno="2228">
+<interface name="init_dontaudit_read_state" lineno="2260">
 <summary>
 Dontaudit read the process state (/proc/pid) of init.
 </summary>
@@ -101602,7 +102371,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_ptrace" lineno="2249">
+<interface name="init_ptrace" lineno="2281">
 <summary>
 Ptrace init
 </summary>
@@ -101613,7 +102382,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="init_getattr" lineno="2268">
+<interface name="init_getattr" lineno="2300">
 <summary>
 get init process stats
 </summary>
@@ -101624,7 +102393,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="init_read_script_pipes" lineno="2286">
+<interface name="init_read_script_pipes" lineno="2318">
 <summary>
 Read an init script unnamed pipe.
 </summary>
@@ -101634,7 +102403,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_write_script_pipes" lineno="2304">
+<interface name="init_write_script_pipes" lineno="2336">
 <summary>
 Write an init script unnamed pipe.
 </summary>
@@ -101644,7 +102413,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_getattr_script_files" lineno="2322">
+<interface name="init_getattr_script_files" lineno="2354">
 <summary>
 Get the attribute of init script entrypoint files.
 </summary>
@@ -101654,7 +102423,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_script_files" lineno="2341">
+<interface name="init_read_script_files" lineno="2373">
 <summary>
 Read init scripts.
 </summary>
@@ -101664,7 +102433,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_exec_script_files" lineno="2360">
+<interface name="init_exec_script_files" lineno="2392">
 <summary>
 Execute init scripts in the caller domain.
 </summary>
@@ -101674,7 +102443,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_getattr_all_script_files" lineno="2379">
+<interface name="init_getattr_all_script_files" lineno="2411">
 <summary>
 Get the attribute of all init script entrypoint files.
 </summary>
@@ -101684,7 +102453,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_all_script_files" lineno="2398">
+<interface name="init_read_all_script_files" lineno="2430">
 <summary>
 Read all init script files.
 </summary>
@@ -101694,7 +102463,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_read_all_script_files" lineno="2422">
+<interface name="init_dontaudit_read_all_script_files" lineno="2454">
 <summary>
 Dontaudit read all init script files.
 </summary>
@@ -101704,7 +102473,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_exec_all_script_files" lineno="2440">
+<interface name="init_exec_all_script_files" lineno="2472">
 <summary>
 Execute all init scripts in the caller domain.
 </summary>
@@ -101714,7 +102483,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_script_state" lineno="2459">
+<interface name="init_read_script_state" lineno="2491">
 <summary>
 Read the process state (/proc/pid) of the init scripts.
 </summary>
@@ -101724,7 +102493,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_use_script_fds" lineno="2478">
+<interface name="init_use_script_fds" lineno="2510">
 <summary>
 Inherit and use init script file descriptors.
 </summary>
@@ -101734,7 +102503,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_use_script_fds" lineno="2497">
+<interface name="init_dontaudit_use_script_fds" lineno="2529">
 <summary>
 Do not audit attempts to inherit
 init script file descriptors.
@@ -101745,7 +102514,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_search_script_keys" lineno="2515">
+<interface name="init_search_script_keys" lineno="2547">
 <summary>
 Search init script keys.
 </summary>
@@ -101755,7 +102524,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_getpgid_script" lineno="2533">
+<interface name="init_getpgid_script" lineno="2565">
 <summary>
 Get the process group ID of init scripts.
 </summary>
@@ -101765,7 +102534,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_sigchld_script" lineno="2551">
+<interface name="init_sigchld_script" lineno="2583">
 <summary>
 Send SIGCHLD signals to init scripts.
 </summary>
@@ -101775,7 +102544,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_signal_script" lineno="2569">
+<interface name="init_signal_script" lineno="2601">
 <summary>
 Send generic signals to init scripts.
 </summary>
@@ -101785,7 +102554,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_signull_script" lineno="2587">
+<interface name="init_signull_script" lineno="2619">
 <summary>
 Send null signals to init scripts.
 </summary>
@@ -101795,7 +102564,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_rw_script_pipes" lineno="2605">
+<interface name="init_rw_script_pipes" lineno="2637">
 <summary>
 Read and write init script unnamed pipes.
 </summary>
@@ -101805,7 +102574,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_stream_connect_script" lineno="2624">
+<interface name="init_stream_connect_script" lineno="2656">
 <summary>
 Allow the specified domain to connect to
 init scripts with a unix socket.
@@ -101816,7 +102585,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_rw_script_stream_sockets" lineno="2643">
+<interface name="init_rw_script_stream_sockets" lineno="2675">
 <summary>
 Allow the specified domain to read/write to
 init scripts with a unix domain stream sockets.
@@ -101827,7 +102596,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_stream_connect_script" lineno="2662">
+<interface name="init_dontaudit_stream_connect_script" lineno="2694">
 <summary>
 Dont audit the specified domain connecting to
 init scripts with a unix domain stream socket.
@@ -101838,7 +102607,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_dbus_send_script" lineno="2679">
+<interface name="init_dbus_send_script" lineno="2711">
 <summary>
 Send messages to init scripts over dbus.
 </summary>
@@ -101848,7 +102617,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dbus_chat_script" lineno="2699">
+<interface name="init_dbus_chat_script" lineno="2731">
 <summary>
 Send and receive messages from
 init scripts over dbus.
@@ -101859,7 +102628,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_use_script_ptys" lineno="2728">
+<interface name="init_use_script_ptys" lineno="2760">
 <summary>
 Read and write the init script pty.
 </summary>
@@ -101878,7 +102647,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_use_inherited_script_ptys" lineno="2747">
+<interface name="init_use_inherited_script_ptys" lineno="2779">
 <summary>
 Read and write inherited init script ptys.
 </summary>
@@ -101888,7 +102657,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_use_script_ptys" lineno="2769">
+<interface name="init_dontaudit_use_script_ptys" lineno="2801">
 <summary>
 Do not audit attempts to read and
 write the init script pty.
@@ -101899,7 +102668,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_getattr_script_status_files" lineno="2788">
+<interface name="init_getattr_script_status_files" lineno="2820">
 <summary>
 Get the attributes of init script
 status files.
@@ -101910,7 +102679,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_read_script_status_files" lineno="2807">
+<interface name="init_dontaudit_read_script_status_files" lineno="2839">
 <summary>
 Do not audit attempts to read init script
 status files.
@@ -101921,7 +102690,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_search_run" lineno="2826">
+<interface name="init_search_run" lineno="2858">
 <summary>
 Search the /run/systemd directory.
 </summary>
@@ -101931,7 +102700,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_script_tmp_files" lineno="2845">
+<interface name="init_read_script_tmp_files" lineno="2877">
 <summary>
 Read init script temporary data.
 </summary>
@@ -101941,7 +102710,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_rw_inherited_script_tmp_files" lineno="2864">
+<interface name="init_rw_inherited_script_tmp_files" lineno="2896">
 <summary>
 Read and write init script inherited temporary data.
 </summary>
@@ -101951,7 +102720,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_rw_script_tmp_files" lineno="2882">
+<interface name="init_rw_script_tmp_files" lineno="2914">
 <summary>
 Read and write init script temporary data.
 </summary>
@@ -101961,7 +102730,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_script_tmp_filetrans" lineno="2917">
+<interface name="init_script_tmp_filetrans" lineno="2949">
 <summary>
 Create files in a init script
 temporary data directory.
@@ -101987,7 +102756,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="init_getattr_utmp" lineno="2936">
+<interface name="init_getattr_utmp" lineno="2968">
 <summary>
 Get the attributes of init script process id files.
 </summary>
@@ -101997,7 +102766,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_utmp" lineno="2954">
+<interface name="init_read_utmp" lineno="2986">
 <summary>
 Read utmp.
 </summary>
@@ -102007,7 +102776,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_write_utmp" lineno="2973">
+<interface name="init_dontaudit_write_utmp" lineno="3005">
 <summary>
 Do not audit attempts to write utmp.
 </summary>
@@ -102017,7 +102786,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_write_utmp" lineno="2991">
+<interface name="init_write_utmp" lineno="3023">
 <summary>
 Write to utmp.
 </summary>
@@ -102027,7 +102796,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_lock_utmp" lineno="3011">
+<interface name="init_dontaudit_lock_utmp" lineno="3043">
 <summary>
 Do not audit attempts to lock
 init script pid files.
@@ -102038,7 +102807,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_rw_utmp" lineno="3029">
+<interface name="init_rw_utmp" lineno="3061">
 <summary>
 Read and write utmp.
 </summary>
@@ -102048,7 +102817,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_rw_utmp" lineno="3048">
+<interface name="init_dontaudit_rw_utmp" lineno="3080">
 <summary>
 Do not audit attempts to read and write utmp.
 </summary>
@@ -102058,7 +102827,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_manage_utmp" lineno="3066">
+<interface name="init_manage_utmp" lineno="3098">
 <summary>
 Create, read, write, and delete utmp.
 </summary>
@@ -102068,7 +102837,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_watch_utmp" lineno="3085">
+<interface name="init_watch_runtime_dirs" lineno="3117">
+<summary>
+Add a watch on init runtime
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_watch_utmp" lineno="3135">
 <summary>
 Add a watch on utmp.
 </summary>
@@ -102078,7 +102857,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_relabel_utmp" lineno="3103">
+<interface name="init_relabel_utmp" lineno="3153">
 <summary>
 Relabel utmp.
 </summary>
@@ -102088,7 +102867,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_runtime_filetrans_utmp" lineno="3122">
+<interface name="init_runtime_filetrans_utmp" lineno="3172">
 <summary>
 Create files in /var/run with the
 utmp file type.
@@ -102099,7 +102878,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_create_runtime_dirs" lineno="3140">
+<interface name="init_create_runtime_dirs" lineno="3190">
 <summary>
 Create a directory in the /run/systemd directory.
 </summary>
@@ -102109,7 +102888,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_runtime_files" lineno="3159">
+<interface name="init_read_runtime_files" lineno="3209">
 <summary>
 Read init_runtime_t files
 </summary>
@@ -102119,7 +102898,7 @@ domain
 </summary>
 </param>
 </interface>
-<interface name="init_rename_runtime_files" lineno="3177">
+<interface name="init_rename_runtime_files" lineno="3227">
 <summary>
 Rename init_runtime_t files
 </summary>
@@ -102129,7 +102908,7 @@ domain
 </summary>
 </param>
 </interface>
-<interface name="init_setattr_runtime_files" lineno="3195">
+<interface name="init_setattr_runtime_files" lineno="3245">
 <summary>
 Setattr init_runtime_t files
 </summary>
@@ -102139,7 +102918,7 @@ domain
 </summary>
 </param>
 </interface>
-<interface name="init_delete_runtime_files" lineno="3213">
+<interface name="init_delete_runtime_files" lineno="3263">
 <summary>
 Delete init_runtime_t files
 </summary>
@@ -102149,7 +102928,7 @@ domain
 </summary>
 </param>
 </interface>
-<interface name="init_write_runtime_socket" lineno="3232">
+<interface name="init_write_runtime_socket" lineno="3282">
 <summary>
 Allow the specified domain to write to
 init sock file.
@@ -102160,7 +102939,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_write_runtime_socket" lineno="3251">
+<interface name="init_dontaudit_write_runtime_socket" lineno="3301">
 <summary>
 Do not audit attempts to write to
 init sock files.
@@ -102171,7 +102950,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_read_runtime_pipes" lineno="3269">
+<interface name="init_read_runtime_pipes" lineno="3319">
 <summary>
 Read init unnamed pipes.
 </summary>
@@ -102181,7 +102960,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_runtime_symlinks" lineno="3287">
+<interface name="init_read_runtime_symlinks" lineno="3337">
 <summary>
 read systemd unit symlinks (usually under /run/systemd/units/)
 </summary>
@@ -102191,7 +102970,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_tcp_recvfrom_all_daemons" lineno="3305">
+<interface name="init_tcp_recvfrom_all_daemons" lineno="3355">
 <summary>
 Allow the specified domain to connect to daemon with a tcp socket
 </summary>
@@ -102201,7 +102980,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_udp_recvfrom_all_daemons" lineno="3323">
+<interface name="init_udp_recvfrom_all_daemons" lineno="3373">
 <summary>
 Allow the specified domain to connect to daemon with a udp socket
 </summary>
@@ -102211,7 +102990,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_script_status_files" lineno="3342">
+<interface name="init_read_script_status_files" lineno="3392">
 <summary>
 Allow reading the init script state files
 </summary>
@@ -102221,7 +103000,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="init_relabelto_script_state" lineno="3360">
+<interface name="init_relabelto_script_state" lineno="3410">
 <summary>
 Label to init script status files
 </summary>
@@ -102231,7 +103010,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="init_script_readable_type" lineno="3379">
+<interface name="init_script_readable_type" lineno="3429">
 <summary>
 Mark as a readable type for the initrc_t domain
 </summary>
@@ -102241,7 +103020,7 @@ Type that initrc_t needs read access to
 </summary>
 </param>
 </interface>
-<interface name="init_search_units" lineno="3397">
+<interface name="init_search_units" lineno="3447">
 <summary>
 Search systemd unit dirs.
 </summary>
@@ -102251,7 +103030,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_list_unit_dirs" lineno="3422">
+<interface name="init_list_unit_dirs" lineno="3472">
 <summary>
 List systemd unit dirs.
 </summary>
@@ -102261,7 +103040,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_getattr_generic_units_files" lineno="3442">
+<interface name="init_getattr_generic_units_files" lineno="3492">
 <summary>
 Get the attributes of systemd unit files
 </summary>
@@ -102271,7 +103050,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_generic_units_files" lineno="3460">
+<interface name="init_read_generic_units_files" lineno="3510">
 <summary>
 Read systemd unit files
 </summary>
@@ -102281,7 +103060,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_generic_units_symlinks" lineno="3478">
+<interface name="init_read_generic_units_symlinks" lineno="3528">
 <summary>
 Read systemd unit links
 </summary>
@@ -102291,7 +103070,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_get_generic_units_status" lineno="3496">
+<interface name="init_get_generic_units_status" lineno="3546">
 <summary>
 Get status of generic systemd units.
 </summary>
@@ -102301,7 +103080,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_start_generic_units" lineno="3515">
+<interface name="init_start_generic_units" lineno="3565">
 <summary>
 Start generic systemd units.
 </summary>
@@ -102311,7 +103090,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_stop_generic_units" lineno="3534">
+<interface name="init_stop_generic_units" lineno="3584">
 <summary>
 Stop generic systemd units.
 </summary>
@@ -102321,7 +103100,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_reload_generic_units" lineno="3553">
+<interface name="init_reload_generic_units" lineno="3603">
 <summary>
 Reload generic systemd units.
 </summary>
@@ -102331,7 +103110,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_get_runtime_units_status" lineno="3572">
+<interface name="init_get_runtime_units_status" lineno="3622">
 <summary>
 Get the status of runtime systemd units.
 </summary>
@@ -102341,7 +103120,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_start_runtime_units" lineno="3591">
+<interface name="init_start_runtime_units" lineno="3641">
 <summary>
 Start runtime systemd units.
 </summary>
@@ -102351,7 +103130,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_stop_runtime_units" lineno="3610">
+<interface name="init_stop_runtime_units" lineno="3660">
 <summary>
 Stop runtime systemd units.
 </summary>
@@ -102361,7 +103140,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_get_transient_units_status" lineno="3629">
+<interface name="init_get_transient_units_status" lineno="3679">
 <summary>
 Get status of transient systemd units.
 </summary>
@@ -102371,7 +103150,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_start_transient_units" lineno="3648">
+<interface name="init_start_transient_units" lineno="3698">
 <summary>
 Start transient systemd units.
 </summary>
@@ -102381,7 +103160,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_stop_transient_units" lineno="3667">
+<interface name="init_stop_transient_units" lineno="3717">
 <summary>
 Stop transient systemd units.
 </summary>
@@ -102391,7 +103170,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_reload_transient_units" lineno="3686">
+<interface name="init_reload_transient_units" lineno="3736">
 <summary>
 Reload transient systemd units.
 </summary>
@@ -102401,7 +103180,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_get_all_units_status" lineno="3706">
+<interface name="init_get_all_units_status" lineno="3756">
 <summary>
 Get status of all systemd units.
 </summary>
@@ -102411,7 +103190,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_manage_all_units" lineno="3725">
+<interface name="init_manage_all_units" lineno="3775">
 <summary>
 All perms on all systemd units.
 </summary>
@@ -102421,7 +103200,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_start_all_units" lineno="3745">
+<interface name="init_start_all_units" lineno="3795">
 <summary>
 Start all systemd units.
 </summary>
@@ -102431,7 +103210,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_stop_all_units" lineno="3764">
+<interface name="init_stop_all_units" lineno="3814">
 <summary>
 Stop all systemd units.
 </summary>
@@ -102441,7 +103220,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_reload_all_units" lineno="3783">
+<interface name="init_reload_all_units" lineno="3833">
 <summary>
 Reload all systemd units.
 </summary>
@@ -102451,7 +103230,27 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_manage_all_unit_files" lineno="3802">
+<interface name="init_list_all_units" lineno="3852">
+<summary>
+List systemd unit dirs and the files in them
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_getattr_all_unit_files" lineno="3871">
+<summary>
+Get the attributes of systemd unit directories and the files in them.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_manage_all_unit_files" lineno="3891">
 <summary>
 Manage systemd unit dirs and the files in them
 </summary>
@@ -102461,7 +103260,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_linkable_keyring" lineno="3823">
+<interface name="init_relabel_all_unit_files" lineno="3911">
+<summary>
+Relabel from and to systemd unit types.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_linkable_keyring" lineno="3932">
 <summary>
 Associate the specified domain to be a domain whose
 keyring init should be allowed to link.
@@ -102472,7 +103281,7 @@ Domain whose keyring init should be allowed to link.
 </summary>
 </param>
 </interface>
-<interface name="init_admin" lineno="3841">
+<interface name="init_admin" lineno="3950">
 <summary>
 Allow unconfined access to send instructions to init
 </summary>
@@ -102482,7 +103291,7 @@ Target domain
 </summary>
 </param>
 </interface>
-<interface name="init_getrlimit" lineno="3873">
+<interface name="init_getrlimit" lineno="3982">
 <summary>
 Allow getting init_t rlimit
 </summary>
@@ -102492,7 +103301,7 @@ Source domain
 </summary>
 </param>
 </interface>
-<interface name="init_search_keys" lineno="3891">
+<interface name="init_search_keys" lineno="4000">
 <summary>
 Allow searching init_t keys
 </summary>
@@ -104454,7 +105263,29 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="lvm_admin" lineno="191">
+<interface name="lvm_manage_lock_files" lineno="186">
+<summary>
+Manage lvm_lock_t files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="lvm_manage_runtime_files" lineno="205">
+<summary>
+Manage LVM runtime files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="lvm_admin" lineno="229">
 <summary>
 All of the rules required to
 administrate an lvm environment.
@@ -105418,6 +106249,16 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
+<interface name="mount_manage_runtime_files" lineno="359">
+<summary>
+Manage mount runtime files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
 <tunable name="allow_mount_anyfile" dftval="false">
 <desc>
 <p>
@@ -106534,7 +107375,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_relabel_config" lineno="505">
+<interface name="sysnet_relabel_config" lineno="506">
 <summary>
 Relabel network config files.
 </summary>
@@ -106544,7 +107385,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_etc_filetrans_config" lineno="530">
+<interface name="sysnet_etc_filetrans_config" lineno="531">
 <summary>
 Create files in /etc with the type used for
 the network config files.
@@ -106560,7 +107401,28 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_manage_config" lineno="548">
+<interface name="sysnet_runtime_filetrans_config" lineno="560">
+<summary>
+Create files in /run with the type used for
+the network config files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="object">
+<summary>
+The object class of the object being created.
+</summary>
+</param>
+<param name="name" optional="true">
+<summary>
+The name of the object being created.
+</summary>
+</param>
+</interface>
+<interface name="sysnet_manage_config" lineno="578">
 <summary>
 Create, read, write, and delete network config files.
 </summary>
@@ -106570,7 +107432,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_watch_config_dirs" lineno="580">
+<interface name="sysnet_watch_config_dirs" lineno="610">
 <summary>
 Watch a network config dir
 </summary>
@@ -106580,7 +107442,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_read_dhcpc_runtime_files" lineno="598">
+<interface name="sysnet_read_dhcpc_runtime_files" lineno="628">
 <summary>
 Read dhcp client runtime files.
 </summary>
@@ -106590,7 +107452,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_delete_dhcpc_runtime_files" lineno="617">
+<interface name="sysnet_delete_dhcpc_runtime_files" lineno="647">
 <summary>
 Delete the dhcp client runtime files.
 </summary>
@@ -106600,7 +107462,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_manage_dhcpc_runtime_files" lineno="635">
+<interface name="sysnet_manage_dhcpc_runtime_files" lineno="665">
 <summary>
 Create, read, write, and delete dhcp client runtime files.
 </summary>
@@ -106610,7 +107472,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_domtrans_ifconfig" lineno="653">
+<interface name="sysnet_domtrans_ifconfig" lineno="683">
 <summary>
 Execute ifconfig in the ifconfig domain.
 </summary>
@@ -106620,7 +107482,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_run_ifconfig" lineno="680">
+<interface name="sysnet_run_ifconfig" lineno="710">
 <summary>
 Execute ifconfig in the ifconfig domain, and
 allow the specified role the ifconfig domain,
@@ -106638,7 +107500,7 @@ Role allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="sysnet_exec_ifconfig" lineno="700">
+<interface name="sysnet_exec_ifconfig" lineno="730">
 <summary>
 Execute ifconfig in the caller domain.
 </summary>
@@ -106648,7 +107510,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_signal_ifconfig" lineno="720">
+<interface name="sysnet_signal_ifconfig" lineno="750">
 <summary>
 Send a generic signal to ifconfig.
 </summary>
@@ -106659,7 +107521,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="sysnet_signull_ifconfig" lineno="739">
+<interface name="sysnet_signull_ifconfig" lineno="769">
 <summary>
 Send null signals to ifconfig.
 </summary>
@@ -106670,7 +107532,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="sysnet_create_netns_dirs" lineno="758">
+<interface name="sysnet_create_netns_dirs" lineno="788">
 <summary>
 Create the /run/netns directory with
 an automatic type transition.
@@ -106681,7 +107543,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_netns_filetrans" lineno="792">
+<interface name="sysnet_netns_filetrans" lineno="822">
 <summary>
 Create an object in the /run/netns
 directory with a private type.
@@ -106707,7 +107569,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_read_dhcp_config" lineno="813">
+<interface name="sysnet_read_dhcp_config" lineno="843">
 <summary>
 Read the DHCP configuration files.
 </summary>
@@ -106717,7 +107579,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_search_dhcp_state" lineno="833">
+<interface name="sysnet_search_dhcp_state" lineno="863">
 <summary>
 Search the DHCP state data directory.
 </summary>
@@ -106727,7 +107589,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_dhcp_state_filetrans" lineno="877">
+<interface name="sysnet_dhcp_state_filetrans" lineno="907">
 <summary>
 Create DHCP state data.
 </summary>
@@ -106762,7 +107624,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_dns_name_resolve" lineno="897">
+<interface name="sysnet_dns_name_resolve" lineno="927">
 <summary>
 Perform a DNS name resolution.
 </summary>
@@ -106773,7 +107635,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="sysnet_use_ldap" lineno="948">
+<interface name="sysnet_use_ldap" lineno="978">
 <summary>
 Connect and use a LDAP server.
 </summary>
@@ -106783,7 +107645,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_use_portmap" lineno="975">
+<interface name="sysnet_use_portmap" lineno="1005">
 <summary>
 Connect and use remote port mappers.
 </summary>
@@ -106793,7 +107655,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_dhcpc_script_entry" lineno="1009">
+<interface name="sysnet_dhcpc_script_entry" lineno="1039">
 <summary>
 Make the specified program domain
 accessable from the DHCP hooks/scripts.
@@ -106840,7 +107702,7 @@ The user domain for the role.
 </summary>
 </param>
 </template>
-<template name="systemd_user_daemon_domain" lineno="223">
+<template name="systemd_user_daemon_domain" lineno="252">
 <summary>
 Allow the specified domain to be started as a daemon by the
 specified systemd user instance.
@@ -106861,7 +107723,7 @@ Domain to allow the systemd user domain to run.
 </summary>
 </param>
 </template>
-<interface name="systemd_user_activated_sock_file" lineno="244">
+<interface name="systemd_user_activated_sock_file" lineno="273">
 <summary>
 Associate the specified file type to be a type whose sock files
 can be managed by systemd user instances for socket activation.
@@ -106872,7 +107734,7 @@ File type to be associated.
 </summary>
 </param>
 </interface>
-<interface name="systemd_user_unix_stream_activated_socket" lineno="269">
+<interface name="systemd_user_unix_stream_activated_socket" lineno="298">
 <summary>
 Associate the specified domain to be a domain whose unix stream
 sockets and sock files can be managed by systemd user instances
@@ -106889,7 +107751,7 @@ File type of the domain's sock files to be associated.
 </summary>
 </param>
 </interface>
-<interface name="systemd_write_notify_socket" lineno="289">
+<interface name="systemd_write_notify_socket" lineno="318">
 <summary>
 Allow the specified domain to write to
 systemd-notify socket
@@ -106900,7 +107762,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<template name="systemd_user_send_systemd_notify" lineno="316">
+<template name="systemd_user_send_systemd_notify" lineno="345">
 <summary>
 Allow the target domain the permissions necessary
 to use systemd notify when started by the specified
@@ -106917,7 +107779,7 @@ Domain to be allowed systemd notify permissions.
 </summary>
 </param>
 </template>
-<template name="systemd_user_app_status" lineno="344">
+<template name="systemd_user_app_status" lineno="373">
 <summary>
 Allow the target domain to be monitored and have its output
 captured by the specified systemd user instance domain.
@@ -106933,7 +107795,7 @@ Domain to allow the systemd user instance to monitor.
 </summary>
 </param>
 </template>
-<template name="systemd_read_user_manager_state" lineno="384">
+<template name="systemd_read_user_manager_state" lineno="413">
 <summary>
 Read the process state (/proc/pid) of
 the specified systemd user instance.
@@ -106949,7 +107811,7 @@ Domain allowed access.
 </summary>
 </param>
 </template>
-<template name="systemd_user_manager_system_start" lineno="408">
+<template name="systemd_user_manager_system_start" lineno="437">
 <summary>
 Send a start request to the specified
 systemd user instance system object.
@@ -106965,7 +107827,7 @@ Domain allowed access.
 </summary>
 </param>
 </template>
-<template name="systemd_user_manager_system_stop" lineno="432">
+<template name="systemd_user_manager_system_stop" lineno="462">
 <summary>
 Send a stop request to the specified
 systemd user instance system object.
@@ -106981,7 +107843,7 @@ Domain allowed access.
 </summary>
 </param>
 </template>
-<template name="systemd_user_manager_system_status" lineno="456">
+<template name="systemd_user_manager_system_status" lineno="487">
 <summary>
 Get the status of the specified
 systemd user instance system object.
@@ -106997,7 +107859,7 @@ Domain allowed access.
 </summary>
 </param>
 </template>
-<template name="systemd_user_manager_dbus_chat" lineno="480">
+<template name="systemd_user_manager_dbus_chat" lineno="512">
 <summary>
 Send and receive messages from the
 specified systemd user instance over dbus.
@@ -107013,7 +107875,7 @@ Domain allowed access.
 </summary>
 </param>
 </template>
-<interface name="systemd_search_conf_home_content" lineno="501">
+<interface name="systemd_search_conf_home_content" lineno="533">
 <summary>
 Allow the specified domain to search systemd config home
 content.
@@ -107024,7 +107886,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_manage_conf_home_content" lineno="520">
+<interface name="systemd_manage_conf_home_content" lineno="552">
 <summary>
 Allow the specified domain to manage systemd config home
 content.
@@ -107035,7 +107897,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_relabel_conf_home_content" lineno="541">
+<interface name="systemd_relabel_conf_home_content" lineno="573">
 <summary>
 Allow the specified domain to relabel systemd config home
 content.
@@ -107046,7 +107908,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_search_data_home_content" lineno="562">
+<interface name="systemd_search_data_home_content" lineno="594">
 <summary>
 Allow the specified domain to search systemd data home
 content.
@@ -107057,7 +107919,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_manage_data_home_content" lineno="581">
+<interface name="systemd_manage_data_home_content" lineno="613">
 <summary>
 Allow the specified domain to manage systemd data home
 content.
@@ -107068,7 +107930,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_relabel_data_home_content" lineno="602">
+<interface name="systemd_relabel_data_home_content" lineno="634">
 <summary>
 Allow the specified domain to relabel systemd data home
 content.
@@ -107079,7 +107941,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_search_user_runtime" lineno="623">
+<interface name="systemd_search_user_runtime" lineno="655">
 <summary>
 Allow the specified domain to search systemd user runtime
 content.
@@ -107090,7 +107952,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_user_runtime_files" lineno="641">
+<interface name="systemd_read_user_runtime_files" lineno="673">
 <summary>
 Allow the specified domain to read systemd user runtime files.
 </summary>
@@ -107100,7 +107962,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_user_runtime_lnk_files" lineno="659">
+<interface name="systemd_read_user_runtime_lnk_files" lineno="691">
 <summary>
 Allow the specified domain to read systemd user runtime lnk files.
 </summary>
@@ -107110,7 +107972,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_write_user_runtime_socket" lineno="678">
+<interface name="systemd_write_user_runtime_socket" lineno="710">
 <summary>
 Allow the specified domain to write to
 the systemd user runtime named socket.
@@ -107121,7 +107983,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_user_unit_files" lineno="697">
+<interface name="systemd_read_user_unit_files" lineno="729">
 <summary>
 Allow the specified domain to read system-wide systemd
 user unit files.  (Deprecated)
@@ -107132,7 +107994,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_user_units_files" lineno="713">
+<interface name="systemd_read_user_units_files" lineno="745">
 <summary>
 Allow the specified domain to read system-wide systemd
 user unit files.
@@ -107143,7 +108005,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_user_runtime_units" lineno="733">
+<interface name="systemd_read_user_runtime_units" lineno="765">
 <summary>
 Allow the specified domain to read systemd user runtime unit files.  (Deprecated)
 </summary>
@@ -107153,7 +108015,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_user_runtime_units_files" lineno="748">
+<interface name="systemd_read_user_runtime_units_files" lineno="780">
 <summary>
 Allow the specified domain to read systemd user runtime unit files.
 </summary>
@@ -107163,7 +108025,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_search_user_runtime_unit_dirs" lineno="768">
+<interface name="systemd_search_user_runtime_unit_dirs" lineno="800">
 <summary>
 Allow the specified domain to search systemd user runtime unit
 directories.
@@ -107174,7 +108036,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_list_user_runtime_unit_dirs" lineno="787">
+<interface name="systemd_list_user_runtime_unit_dirs" lineno="819">
 <summary>
 Allow the specified domain to list the contents of systemd
 user runtime unit directories.
@@ -107185,7 +108047,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_status_user_runtime_units" lineno="805">
+<interface name="systemd_status_user_runtime_units" lineno="837">
 <summary>
 Allow the specified domain to get the status of systemd user runtime units.  (Deprecated)
 </summary>
@@ -107195,7 +108057,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_get_user_runtime_units_status" lineno="820">
+<interface name="systemd_get_user_runtime_units_status" lineno="852">
 <summary>
 Allow the specified domain to get the status of systemd user runtime units.
 </summary>
@@ -107205,7 +108067,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_start_user_runtime_units" lineno="839">
+<interface name="systemd_start_user_runtime_units" lineno="871">
 <summary>
 Allow the specified domain to start systemd user runtime units.
 </summary>
@@ -107215,7 +108077,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_stop_user_runtime_units" lineno="858">
+<interface name="systemd_stop_user_runtime_units" lineno="890">
 <summary>
 Allow the specified domain to stop systemd user runtime units.
 </summary>
@@ -107225,7 +108087,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_reload_user_runtime_units" lineno="877">
+<interface name="systemd_reload_user_runtime_units" lineno="909">
 <summary>
 Allow the specified domain to reload systemd user runtime units.
 </summary>
@@ -107235,7 +108097,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_user_transient_units_files" lineno="896">
+<interface name="systemd_read_user_transient_units_files" lineno="928">
 <summary>
 Allow the specified domain to read systemd user transient unit files.
 </summary>
@@ -107245,7 +108107,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_search_user_transient_unit_dirs" lineno="916">
+<interface name="systemd_search_user_transient_unit_dirs" lineno="948">
 <summary>
 Allow the specified domain to search systemd user transient unit
 directories.
@@ -107256,7 +108118,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_list_user_transient_unit_dirs" lineno="935">
+<interface name="systemd_list_user_transient_unit_dirs" lineno="967">
 <summary>
 Allow the specified domain to list the contents of systemd
 user transient unit directories.
@@ -107267,7 +108129,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_get_user_transient_units_status" lineno="953">
+<interface name="systemd_get_user_transient_units_status" lineno="985">
 <summary>
 Allow the specified domain to get the status of systemd user transient units.
 </summary>
@@ -107277,7 +108139,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_start_user_transient_units" lineno="972">
+<interface name="systemd_start_user_transient_units" lineno="1004">
 <summary>
 Allow the specified domain to start systemd user transient units.
 </summary>
@@ -107287,7 +108149,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_stop_user_transient_units" lineno="991">
+<interface name="systemd_stop_user_transient_units" lineno="1023">
 <summary>
 Allow the specified domain to stop systemd user transient units.
 </summary>
@@ -107297,7 +108159,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_reload_user_transient_units" lineno="1010">
+<interface name="systemd_reload_user_transient_units" lineno="1042">
 <summary>
 Allow the specified domain to reload systemd user transient units.
 </summary>
@@ -107307,7 +108169,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_log_parse_environment" lineno="1030">
+<interface name="systemd_log_parse_environment" lineno="1062">
 <summary>
 Make the specified type usable as an
 log parse environment type.
@@ -107318,7 +108180,7 @@ Type to be used as a log parse environment type.
 </summary>
 </param>
 </interface>
-<interface name="systemd_use_nss" lineno="1050">
+<interface name="systemd_use_nss" lineno="1082">
 <summary>
 Allow domain to use systemd's Name Service Switch (NSS) module.
 This module provides UNIX user and group name resolution for dynamic users
@@ -107330,7 +108192,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="systemd_PrivateDevices" lineno="1077">
+<interface name="systemd_PrivateDevices" lineno="1109">
 <summary>
 Allow domain to be used as a systemd service with a unit
 that uses PrivateDevices=yes in section [Service].
@@ -107341,7 +108203,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="systemd_rw_homework_semaphores" lineno="1094">
+<interface name="systemd_rw_homework_semaphores" lineno="1126">
 <summary>
 Read and write systemd-homework semaphores.
 </summary>
@@ -107351,7 +108213,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_hwdb" lineno="1112">
+<interface name="systemd_read_hwdb" lineno="1144">
 <summary>
 Allow domain to read udev hwdb file
 </summary>
@@ -107361,7 +108223,7 @@ domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="systemd_map_hwdb" lineno="1130">
+<interface name="systemd_map_hwdb" lineno="1162">
 <summary>
 Allow domain to map udev hwdb file
 </summary>
@@ -107371,7 +108233,59 @@ domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="systemd_watch_logind_runtime_dirs" lineno="1148">
+<interface name="systemd_list_log_dirs" lineno="1180">
+<summary>
+List files in /var/log/systemd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="systemd_create_log_files" lineno="1199">
+<summary>
+Create files in /var/log/systemd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="systemd_write_log_files" lineno="1218">
+<summary>
+Write to files in /var/log/systemd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="systemd_setattr_log_files" lineno="1238">
+<summary>
+Set the attributes of files in
+/var/log/systemd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="systemd_create_log_dirs" lineno="1257">
+<summary>
+Create the /var/log/systemd directory
+with an automatic type transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="systemd_watch_logind_runtime_dirs" lineno="1276">
 <summary>
 Watch systemd-logind runtime dirs.
 </summary>
@@ -107381,7 +108295,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_logind_runtime_files" lineno="1167">
+<interface name="systemd_read_logind_runtime_files" lineno="1295">
 <summary>
 Read systemd-logind runtime files.
 </summary>
@@ -107391,7 +108305,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_manage_logind_runtime_pipes" lineno="1187">
+<interface name="systemd_manage_logind_runtime_pipes" lineno="1315">
 <summary>
 Manage systemd-logind runtime pipes.
 </summary>
@@ -107401,7 +108315,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_write_logind_runtime_pipes" lineno="1206">
+<interface name="systemd_write_logind_runtime_pipes" lineno="1334">
 <summary>
 Write systemd-logind runtime named pipe.
 </summary>
@@ -107411,7 +108325,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_use_logind_fds" lineno="1227">
+<interface name="systemd_use_logind_fds" lineno="1355">
 <summary>
 Use inherited systemd
 logind file descriptors.
@@ -107422,7 +108336,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_watch_logind_sessions_dirs" lineno="1245">
+<interface name="systemd_watch_logind_sessions_dirs" lineno="1373">
 <summary>
 Watch logind sessions dirs.
 </summary>
@@ -107432,7 +108346,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_logind_sessions_files" lineno="1264">
+<interface name="systemd_read_logind_sessions_files" lineno="1392">
 <summary>
 Read logind sessions files.
 </summary>
@@ -107442,7 +108356,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_write_inherited_logind_sessions_pipes" lineno="1285">
+<interface name="systemd_write_inherited_logind_sessions_pipes" lineno="1413">
 <summary>
 Write inherited logind sessions pipes.
 </summary>
@@ -107452,7 +108366,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_write_inherited_logind_inhibit_pipes" lineno="1305">
+<interface name="systemd_write_inherited_logind_inhibit_pipes" lineno="1433">
 <summary>
 Write inherited logind inhibit pipes.
 </summary>
@@ -107462,7 +108376,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_dbus_chat_logind" lineno="1326">
+<interface name="systemd_dbus_chat_logind" lineno="1454">
 <summary>
 Send and receive messages from
 systemd logind over dbus.
@@ -107473,7 +108387,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_status_logind" lineno="1346">
+<interface name="systemd_status_logind" lineno="1474">
 <summary>
 Get the system status information from systemd_login
 </summary>
@@ -107483,7 +108397,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_signull_logind" lineno="1365">
+<interface name="systemd_signull_logind" lineno="1493">
 <summary>
 Send systemd_login a null signal.
 </summary>
@@ -107493,7 +108407,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_list_userdb_runtime_dirs" lineno="1383">
+<interface name="systemd_list_userdb_runtime_dirs" lineno="1511">
 <summary>
 List the contents of systemd userdb runtime directories.
 </summary>
@@ -107503,7 +108417,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_manage_userdb_runtime_dirs" lineno="1401">
+<interface name="systemd_manage_userdb_runtime_dirs" lineno="1529">
 <summary>
 Manage systemd userdb runtime directories.
 </summary>
@@ -107513,7 +108427,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_userdb_runtime_files" lineno="1419">
+<interface name="systemd_read_userdb_runtime_files" lineno="1547">
 <summary>
 Read systemd userdb runtime files.
 </summary>
@@ -107523,7 +108437,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_manage_userdb_runtime_symlinks" lineno="1437">
+<interface name="systemd_manage_userdb_runtime_symlinks" lineno="1565">
 <summary>
 Manage symbolic links under /run/systemd/userdb.
 </summary>
@@ -107533,7 +108447,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_manage_userdb_runtime_sock_files" lineno="1455">
+<interface name="systemd_manage_userdb_runtime_sock_files" lineno="1583">
 <summary>
 Manage socket files under /run/systemd/userdb .
 </summary>
@@ -107543,7 +108457,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_stream_connect_userdb" lineno="1473">
+<interface name="systemd_stream_connect_userdb" lineno="1601">
 <summary>
 Connect to /run/systemd/userdb/io.systemd.DynamicUser .
 </summary>
@@ -107553,7 +108467,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_machines" lineno="1495">
+<interface name="systemd_read_machines" lineno="1623">
 <summary>
 Allow reading /run/systemd/machines
 </summary>
@@ -107563,7 +108477,7 @@ Domain that can access the machines files
 </summary>
 </param>
 </interface>
-<interface name="systemd_watch_machines_dirs" lineno="1514">
+<interface name="systemd_watch_machines_dirs" lineno="1642">
 <summary>
 Allow watching /run/systemd/machines
 </summary>
@@ -107573,7 +108487,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_connect_machined" lineno="1532">
+<interface name="systemd_connect_machined" lineno="1660">
 <summary>
 Allow connecting to /run/systemd/userdb/io.systemd.Machine socket
 </summary>
@@ -107583,7 +108497,7 @@ Domain that can access the socket
 </summary>
 </param>
 </interface>
-<interface name="systemd_dontaudit_connect_machined" lineno="1550">
+<interface name="systemd_dontaudit_connect_machined" lineno="1678">
 <summary>
 dontaudit connecting to /run/systemd/userdb/io.systemd.Machine socket
 </summary>
@@ -107593,7 +108507,7 @@ Domain that can access the socket
 </summary>
 </param>
 </interface>
-<interface name="systemd_dbus_chat_machined" lineno="1569">
+<interface name="systemd_dbus_chat_machined" lineno="1697">
 <summary>
 Send and receive messages from
 systemd machined over dbus.
@@ -107604,7 +108518,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_dbus_chat_hostnamed" lineno="1590">
+<interface name="systemd_dbus_chat_hostnamed" lineno="1718">
 <summary>
 Send and receive messages from
 systemd hostnamed over dbus.
@@ -107615,7 +108529,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_use_passwd_agent_fds" lineno="1610">
+<interface name="systemd_use_passwd_agent_fds" lineno="1738">
 <summary>
 allow systemd_passwd_agent to inherit fds
 </summary>
@@ -107625,7 +108539,7 @@ Domain that owns the fds
 </summary>
 </param>
 </interface>
-<interface name="systemd_run_passwd_agent" lineno="1633">
+<interface name="systemd_run_passwd_agent" lineno="1761">
 <summary>
 allow systemd_passwd_agent to be run by admin
 </summary>
@@ -107640,7 +108554,7 @@ role that it runs in
 </summary>
 </param>
 </interface>
-<interface name="systemd_use_passwd_agent" lineno="1654">
+<interface name="systemd_use_passwd_agent" lineno="1782">
 <summary>
 Allow a systemd_passwd_agent_t process to interact with a daemon
 that needs a password from the sysadmin.
@@ -107651,7 +108565,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_filetrans_passwd_runtime_dirs" lineno="1678">
+<interface name="systemd_filetrans_passwd_runtime_dirs" lineno="1806">
 <summary>
 Transition to systemd_passwd_runtime_t when creating dirs
 </summary>
@@ -107661,7 +108575,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_filetrans_userdb_runtime_dirs" lineno="1699">
+<interface name="systemd_filetrans_userdb_runtime_dirs" lineno="1827">
 <summary>
 Transition to systemd_userdbd_runtime_t when
 creating the userdb directory inside an init runtime
@@ -107673,7 +108587,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_manage_passwd_runtime_symlinks" lineno="1717">
+<interface name="systemd_manage_passwd_runtime_symlinks" lineno="1845">
 <summary>
 Allow to domain to create systemd-passwd symlink
 </summary>
@@ -107683,7 +108597,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_watch_passwd_runtime_dirs" lineno="1735">
+<interface name="systemd_watch_passwd_runtime_dirs" lineno="1863">
 <summary>
 Allow a domain to watch systemd-passwd runtime dirs.
 </summary>
@@ -107693,7 +108607,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_list_journal_dirs" lineno="1753">
+<interface name="systemd_list_journal_dirs" lineno="1881">
 <summary>
 Allow domain to list the contents of systemd_journal_t dirs
 </summary>
@@ -107703,7 +108617,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_journal_files" lineno="1771">
+<interface name="systemd_read_journal_files" lineno="1899">
 <summary>
 Allow domain to read systemd_journal_t files
 </summary>
@@ -107713,7 +108627,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_manage_journal_files" lineno="1790">
+<interface name="systemd_manage_journal_files" lineno="1918">
 <summary>
 Allow domain to create/manage systemd_journal_t files
 </summary>
@@ -107723,7 +108637,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_watch_journal_dirs" lineno="1810">
+<interface name="systemd_watch_journal_dirs" lineno="1938">
 <summary>
 Allow domain to add a watch on systemd_journal_t directories
 </summary>
@@ -107733,7 +108647,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_relabelfrom_journal_files" lineno="1828">
+<interface name="systemd_relabelfrom_journal_files" lineno="1956">
 <summary>
 Relabel from systemd-journald file type.
 </summary>
@@ -107743,7 +108657,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_relabelto_journal_dirs" lineno="1846">
+<interface name="systemd_relabelto_journal_dirs" lineno="1974">
 <summary>
 Relabel to systemd-journald directory type.
 </summary>
@@ -107753,7 +108667,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_relabelto_journal_files" lineno="1865">
+<interface name="systemd_relabelto_journal_files" lineno="1993">
 <summary>
 Relabel to systemd-journald file type.
 </summary>
@@ -107763,7 +108677,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_networkd_units" lineno="1885">
+<interface name="systemd_read_networkd_units" lineno="2013">
 <summary>
 Allow domain to read systemd_networkd_t unit files
 </summary>
@@ -107773,7 +108687,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_manage_networkd_units" lineno="1905">
+<interface name="systemd_manage_networkd_units" lineno="2033">
 <summary>
 Allow domain to create/manage systemd_networkd_t unit files
 </summary>
@@ -107783,7 +108697,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_enabledisable_networkd" lineno="1925">
+<interface name="systemd_enabledisable_networkd" lineno="2053">
 <summary>
 Allow specified domain to enable systemd-networkd units
 </summary>
@@ -107793,7 +108707,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_startstop_networkd" lineno="1944">
+<interface name="systemd_startstop_networkd" lineno="2072">
 <summary>
 Allow specified domain to start systemd-networkd units
 </summary>
@@ -107803,7 +108717,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_dbus_chat_networkd" lineno="1964">
+<interface name="systemd_dbus_chat_networkd" lineno="2092">
 <summary>
 Send and receive messages from
 systemd networkd over dbus.
@@ -107814,7 +108728,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_status_networkd" lineno="1984">
+<interface name="systemd_status_networkd" lineno="2112">
 <summary>
 Allow specified domain to get status of systemd-networkd
 </summary>
@@ -107824,7 +108738,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_relabelfrom_networkd_tun_sockets" lineno="2003">
+<interface name="systemd_relabelfrom_networkd_tun_sockets" lineno="2131">
 <summary>
 Relabel systemd_networkd tun socket.
 </summary>
@@ -107834,7 +108748,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_rw_networkd_netlink_route_sockets" lineno="2021">
+<interface name="systemd_rw_networkd_netlink_route_sockets" lineno="2149">
 <summary>
 Read/Write from systemd_networkd netlink route socket.
 </summary>
@@ -107844,7 +108758,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_list_networkd_runtime" lineno="2039">
+<interface name="systemd_list_networkd_runtime" lineno="2167">
 <summary>
 Allow domain to list dirs under /run/systemd/netif
 </summary>
@@ -107854,7 +108768,7 @@ domain permitted the access
 </summary>
 </param>
 </interface>
-<interface name="systemd_watch_networkd_runtime_dirs" lineno="2058">
+<interface name="systemd_watch_networkd_runtime_dirs" lineno="2186">
 <summary>
 Watch directories under /run/systemd/netif
 </summary>
@@ -107864,7 +108778,7 @@ Domain permitted the access
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_networkd_runtime" lineno="2077">
+<interface name="systemd_read_networkd_runtime" lineno="2205">
 <summary>
 Allow domain to read files generated by systemd_networkd
 </summary>
@@ -107874,7 +108788,7 @@ domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_logind_state" lineno="2096">
+<interface name="systemd_read_logind_state" lineno="2224">
 <summary>
 Allow systemd_logind_t to read process state for cgroup file
 </summary>
@@ -107884,7 +108798,7 @@ Domain systemd_logind_t may access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_create_logind_linger_dir" lineno="2117">
+<interface name="systemd_create_logind_linger_dir" lineno="2245">
 <summary>
 Allow the specified domain to create
 the systemd-logind linger directory with
@@ -107896,7 +108810,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_start_user_manager_units" lineno="2137">
+<interface name="systemd_start_user_manager_units" lineno="2265">
 <summary>
 Allow the specified domain to start systemd
 user manager units (systemd --user).
@@ -107907,7 +108821,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_stop_user_manager_units" lineno="2157">
+<interface name="systemd_stop_user_manager_units" lineno="2285">
 <summary>
 Allow the specified domain to stop systemd
 user manager units (systemd --user).
@@ -107918,7 +108832,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_reload_user_manager_units" lineno="2177">
+<interface name="systemd_reload_user_manager_units" lineno="2305">
 <summary>
 Allow the specified domain to reload systemd
 user manager units (systemd --user).
@@ -107929,7 +108843,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_get_user_manager_units_status" lineno="2197">
+<interface name="systemd_get_user_manager_units_status" lineno="2325">
 <summary>
 Get the status of systemd user manager
 units (systemd --user).
@@ -107940,7 +108854,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_start_power_units" lineno="2216">
+<interface name="systemd_start_power_units" lineno="2344">
 <summary>
 Allow specified domain to start power units
 </summary>
@@ -107950,7 +108864,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="systemd_status_power_units" lineno="2235">
+<interface name="systemd_status_power_units" lineno="2363">
 <summary>
 Get the system status information about power units
 </summary>
@@ -107960,7 +108874,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_stream_connect_socket_proxyd" lineno="2254">
+<interface name="systemd_stream_connect_socket_proxyd" lineno="2382">
 <summary>
 Allows connections to the systemd-socket-proxyd's socket.
 </summary>
@@ -107970,7 +108884,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_tmpfiles_conf_file" lineno="2273">
+<interface name="systemd_tmpfiles_conf_file" lineno="2401">
 <summary>
 Make the specified type usable for
 systemd tmpfiles config files.
@@ -107981,7 +108895,7 @@ Type to be used for systemd tmpfiles config files.
 </summary>
 </param>
 </interface>
-<interface name="systemd_tmpfiles_creator" lineno="2294">
+<interface name="systemd_tmpfiles_creator" lineno="2422">
 <summary>
 Allow the specified domain to create
 the tmpfiles config directory with
@@ -107993,7 +108907,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_tmpfiles_conf_filetrans" lineno="2330">
+<interface name="systemd_tmpfiles_conf_filetrans" lineno="2458">
 <summary>
 Create an object in the systemd tmpfiles config
 directory, with a private type
@@ -108020,7 +108934,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="systemd_list_tmpfiles_conf" lineno="2349">
+<interface name="systemd_list_tmpfiles_conf" lineno="2477">
 <summary>
 Allow domain to list systemd tmpfiles config directory
 </summary>
@@ -108030,7 +108944,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_relabelto_tmpfiles_conf_dirs" lineno="2367">
+<interface name="systemd_relabelto_tmpfiles_conf_dirs" lineno="2495">
 <summary>
 Allow domain to relabel to systemd tmpfiles config directory
 </summary>
@@ -108040,7 +108954,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_relabelto_tmpfiles_conf_files" lineno="2385">
+<interface name="systemd_relabelto_tmpfiles_conf_files" lineno="2513">
 <summary>
 Allow domain to relabel to systemd tmpfiles config files
 </summary>
@@ -108050,7 +108964,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_tmpfilesd_managed" lineno="2403">
+<interface name="systemd_tmpfilesd_managed" lineno="2531">
 <summary>
 Allow systemd_tmpfiles_t to manage filesystem objects
 </summary>
@@ -108060,7 +108974,7 @@ Type of object to manage
 </summary>
 </param>
 </interface>
-<interface name="systemd_stream_connect_resolved" lineno="2430">
+<interface name="systemd_stream_connect_resolved" lineno="2558">
 <summary>
 Connect to systemd resolved over
 /run/systemd/resolve/io.systemd.Resolve .
@@ -108071,7 +108985,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_dbus_chat_resolved" lineno="2451">
+<interface name="systemd_dbus_chat_resolved" lineno="2579">
 <summary>
 Send and receive messages from
 systemd resolved over dbus.
@@ -108082,7 +108996,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_resolved_runtime" lineno="2471">
+<interface name="systemd_read_resolved_runtime" lineno="2599">
 <summary>
 Allow domain to read resolv.conf file generated by systemd_resolved
 </summary>
@@ -108092,7 +109006,7 @@ domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="systemd_exec_systemctl" lineno="2493">
+<interface name="systemd_exec_systemctl" lineno="2621">
 <summary>
 Execute the systemctl program.
 </summary>
@@ -108102,7 +109016,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_getattr_updated_runtime" lineno="2524">
+<interface name="systemd_getattr_updated_runtime" lineno="2654">
 <summary>
 Allow domain to getattr on .updated file (generated by systemd-update-done
 </summary>
@@ -108112,7 +109026,7 @@ domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="systemd_search_all_user_keys" lineno="2542">
+<interface name="systemd_search_all_user_keys" lineno="2672">
 <summary>
 Search keys for the all systemd --user domains.
 </summary>
@@ -108122,7 +109036,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_create_all_user_keys" lineno="2560">
+<interface name="systemd_create_all_user_keys" lineno="2690">
 <summary>
 Create keys for the all systemd --user domains.
 </summary>
@@ -108132,7 +109046,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_write_all_user_keys" lineno="2578">
+<interface name="systemd_write_all_user_keys" lineno="2708">
 <summary>
 Write keys for the all systemd --user domains.
 </summary>
@@ -108142,7 +109056,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_domtrans_sysusers" lineno="2597">
+<interface name="systemd_domtrans_sysusers" lineno="2727">
 <summary>
 Execute systemd-sysusers in the
 systemd sysusers domain.
@@ -108153,7 +109067,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_run_sysusers" lineno="2622">
+<interface name="systemd_run_sysusers" lineno="2752">
 <summary>
 Run systemd-sysusers with a domain transition.
 </summary>
@@ -108169,7 +109083,7 @@ Role allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="systemd_use_inherited_machined_ptys" lineno="2642">
+<interface name="systemd_use_inherited_machined_ptys" lineno="2772">
 <summary>
 receive and use a systemd_machined_devpts_t file handle
 </summary>
@@ -108820,7 +109734,7 @@ Domain to make unconfined.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_domain" lineno="154">
+<interface name="unconfined_domain" lineno="153">
 <summary>
 Make the specified domain unconfined and
 audit executable heap usage.
@@ -108848,7 +109762,7 @@ Domain to make unconfined.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_domtrans" lineno="172">
+<interface name="unconfined_domtrans" lineno="171">
 <summary>
 Transition to the unconfined domain.
 </summary>
@@ -108858,7 +109772,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_run" lineno="195">
+<interface name="unconfined_run" lineno="194">
 <summary>
 Execute specified programs in the unconfined domain.
 </summary>
@@ -108873,7 +109787,7 @@ The role to allow the unconfined domain.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_shell_domtrans" lineno="214">
+<interface name="unconfined_shell_domtrans" lineno="213">
 <summary>
 Transition to the unconfined domain by executing a shell.
 </summary>
@@ -108883,7 +109797,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_domtrans_to" lineno="252">
+<interface name="unconfined_domtrans_to" lineno="251">
 <summary>
 Allow unconfined to execute the specified program in
 the specified domain.
@@ -108910,7 +109824,7 @@ Domain entry point file.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_run_to" lineno="289">
+<interface name="unconfined_run_to" lineno="288">
 <summary>
 Allow unconfined to execute the specified program in
 the specified domain.  Allow the specified domain the
@@ -108939,7 +109853,7 @@ Domain entry point file.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_use_fds" lineno="310">
+<interface name="unconfined_use_fds" lineno="309">
 <summary>
 Inherit file descriptors from the unconfined domain.
 </summary>
@@ -108949,7 +109863,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_sigchld" lineno="328">
+<interface name="unconfined_sigchld" lineno="327">
 <summary>
 Send a SIGCHLD signal to the unconfined domain.
 </summary>
@@ -108959,7 +109873,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_signull" lineno="346">
+<interface name="unconfined_signull" lineno="345">
 <summary>
 Send a SIGNULL signal to the unconfined domain.
 </summary>
@@ -108969,7 +109883,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_signal" lineno="364">
+<interface name="unconfined_signal" lineno="363">
 <summary>
 Send generic signals to the unconfined domain.
 </summary>
@@ -108979,7 +109893,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_read_pipes" lineno="382">
+<interface name="unconfined_read_pipes" lineno="381">
+<summary>
+Read unconfined domain unnamed pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="unconfined_write_inherited_pipes" lineno="399">
 <summary>
 Read unconfined domain unnamed pipes.
 </summary>
@@ -108989,7 +109913,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_dontaudit_read_pipes" lineno="400">
+<interface name="unconfined_dontaudit_read_pipes" lineno="418">
 <summary>
 Do not audit attempts to read unconfined domain unnamed pipes.
 </summary>
@@ -108999,7 +109923,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_rw_pipes" lineno="418">
+<interface name="unconfined_rw_pipes" lineno="436">
 <summary>
 Read and write unconfined domain unnamed pipes.
 </summary>
@@ -109009,7 +109933,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_dontaudit_rw_pipes" lineno="437">
+<interface name="unconfined_dontaudit_rw_pipes" lineno="455">
 <summary>
 Do not audit attempts to read and write
 unconfined domain unnamed pipes.
@@ -109020,7 +109944,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_stream_connect" lineno="456">
+<interface name="unconfined_stream_connect" lineno="474">
 <summary>
 Connect to the unconfined domain using
 a unix domain stream socket.
@@ -109031,7 +109955,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_dontaudit_rw_stream_sockets" lineno="475">
+<interface name="unconfined_dontaudit_rw_stream_sockets" lineno="493">
 <summary>
 Do not audit attempts to read and write
 unconfined domain stream.
@@ -109042,7 +109966,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_dontaudit_rw_tcp_sockets" lineno="504">
+<interface name="unconfined_dontaudit_rw_tcp_sockets" lineno="522">
 <summary>
 Do not audit attempts to read or write
 unconfined domain tcp sockets.
@@ -109063,7 +109987,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_search_keys" lineno="522">
+<interface name="unconfined_search_keys" lineno="540">
 <summary>
 Search keys for the unconfined domain.
 </summary>
@@ -109073,7 +109997,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_create_keys" lineno="540">
+<interface name="unconfined_create_keys" lineno="558">
 <summary>
 Create keys for the unconfined domain.
 </summary>
@@ -109083,7 +110007,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_write_keys" lineno="558">
+<interface name="unconfined_write_keys" lineno="576">
 <summary>
 Write keys for the unconfined domain.
 </summary>
@@ -109093,7 +110017,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_dbus_send" lineno="576">
+<interface name="unconfined_dbus_send" lineno="594">
 <summary>
 Send messages to the unconfined domain over dbus.
 </summary>
@@ -109103,7 +110027,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_dbus_chat" lineno="596">
+<interface name="unconfined_dbus_chat" lineno="614">
 <summary>
 Send and receive messages from
 unconfined_t over dbus.
@@ -109114,7 +110038,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_dbus_connect" lineno="617">
+<interface name="unconfined_dbus_connect" lineno="635">
 <summary>
 Connect to the the unconfined DBUS
 for service (acquire_svc).
@@ -109346,7 +110270,7 @@ is the prefix for user_t).
 </summary>
 </param>
 </template>
-<template name="userdom_login_user_template" lineno="965">
+<template name="userdom_login_user_template" lineno="969">
 <summary>
 The template for creating a login user.
 </summary>
@@ -109364,7 +110288,7 @@ is the prefix for user_t).
 </summary>
 </param>
 </template>
-<template name="userdom_restricted_user_template" lineno="1089">
+<template name="userdom_restricted_user_template" lineno="1093">
 <summary>
 The template for creating a unprivileged login user.
 </summary>
@@ -109382,7 +110306,7 @@ is the prefix for user_t).
 </summary>
 </param>
 </template>
-<template name="userdom_restricted_xwindows_user_template" lineno="1130">
+<template name="userdom_restricted_xwindows_user_template" lineno="1134">
 <summary>
 The template for creating a unprivileged xwindows login user.
 </summary>
@@ -109403,7 +110327,7 @@ is the prefix for user_t).
 </summary>
 </param>
 </template>
-<template name="userdom_unpriv_user_template" lineno="1211">
+<template name="userdom_unpriv_user_template" lineno="1219">
 <summary>
 The template for creating a unprivileged user roughly
 equivalent to a regular linux user.
@@ -109426,7 +110350,7 @@ is the prefix for user_t).
 </summary>
 </param>
 </template>
-<template name="userdom_admin_user_template" lineno="1331">
+<template name="userdom_admin_user_template" lineno="1339">
 <summary>
 The template for creating an administrative user.
 </summary>
@@ -109455,7 +110379,7 @@ is the prefix for sysadm_t).
 </summary>
 </param>
 </template>
-<interface name="userdom_security_admin_template" lineno="1512">
+<interface name="userdom_security_admin_template" lineno="1521">
 <summary>
 Allow user to run as a secadm
 </summary>
@@ -109481,7 +110405,7 @@ The role  of the object to create.
 </summary>
 </param>
 </interface>
-<template name="userdom_xdg_user_template" lineno="1615">
+<template name="userdom_xdg_user_template" lineno="1624">
 <summary>
 Allow user to interact with xdg content types
 </summary>
@@ -109502,7 +110426,7 @@ Domain allowed access.
 </summary>
 </param>
 </template>
-<interface name="userdom_user_application_type" lineno="1664">
+<interface name="userdom_user_application_type" lineno="1673">
 <summary>
 Make the specified type usable as
 a user application domain type.
@@ -109513,7 +110437,7 @@ Type to be used as a user application domain.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_application_domain" lineno="1685">
+<interface name="userdom_user_application_domain" lineno="1694">
 <summary>
 Make the specified type usable as
 a user application domain.
@@ -109529,7 +110453,7 @@ Type to be used as the domain entry point.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_home_content" lineno="1702">
+<interface name="userdom_user_home_content" lineno="1711">
 <summary>
 Make the specified type usable in a
 user home directory.
@@ -109541,7 +110465,7 @@ user home directory.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_tmp_file" lineno="1728">
+<interface name="userdom_user_tmp_file" lineno="1737">
 <summary>
 Make the specified type usable as a
 user temporary file.
@@ -109553,7 +110477,7 @@ temporary directories.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_tmpfs_file" lineno="1745">
+<interface name="userdom_user_tmpfs_file" lineno="1754">
 <summary>
 Make the specified type usable as a
 user tmpfs file.
@@ -109565,7 +110489,7 @@ tmpfs directories.
 </summary>
 </param>
 </interface>
-<interface name="userdom_attach_admin_tun_iface" lineno="1760">
+<interface name="userdom_attach_admin_tun_iface" lineno="1769">
 <summary>
 Allow domain to attach to TUN devices created by administrative users.
 </summary>
@@ -109575,7 +110499,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_setattr_user_ptys" lineno="1779">
+<interface name="userdom_setattr_user_ptys" lineno="1788">
 <summary>
 Set the attributes of a user pty.
 </summary>
@@ -109585,7 +110509,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_create_user_pty" lineno="1797">
+<interface name="userdom_create_user_pty" lineno="1806">
 <summary>
 Create a user pty.
 </summary>
@@ -109595,7 +110519,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_getattr_user_home_dirs" lineno="1815">
+<interface name="userdom_getattr_user_home_dirs" lineno="1824">
 <summary>
 Get the attributes of user home directories.
 </summary>
@@ -109605,7 +110529,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_getattr_user_home_dirs" lineno="1834">
+<interface name="userdom_dontaudit_getattr_user_home_dirs" lineno="1843">
 <summary>
 Do not audit attempts to get the attributes of user home directories.
 </summary>
@@ -109615,7 +110539,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_search_user_home_dirs" lineno="1852">
+<interface name="userdom_search_user_home_dirs" lineno="1861">
 <summary>
 Search user home directories.
 </summary>
@@ -109625,7 +110549,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_search_user_home_dirs" lineno="1879">
+<interface name="userdom_dontaudit_search_user_home_dirs" lineno="1888">
 <summary>
 Do not audit attempts to search user home directories.
 </summary>
@@ -109643,7 +110567,7 @@ Domain to not audit.
 </param>
 <infoflow type="none"/>
 </interface>
-<interface name="userdom_list_user_home_dirs" lineno="1897">
+<interface name="userdom_list_user_home_dirs" lineno="1906">
 <summary>
 List user home directories.
 </summary>
@@ -109653,7 +110577,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_list_user_home_dirs" lineno="1916">
+<interface name="userdom_dontaudit_list_user_home_dirs" lineno="1925">
 <summary>
 Do not audit attempts to list user home subdirectories.
 </summary>
@@ -109663,7 +110587,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_create_user_home_dirs" lineno="1934">
+<interface name="userdom_create_user_home_dirs" lineno="1943">
 <summary>
 Create user home directories.
 </summary>
@@ -109673,7 +110597,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_home_dirs" lineno="1952">
+<interface name="userdom_manage_user_home_dirs" lineno="1961">
 <summary>
 Manage user home directories.
 </summary>
@@ -109683,7 +110607,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_manage_user_home_dirs" lineno="1971">
+<interface name="userdom_dontaudit_manage_user_home_dirs" lineno="1980">
 <summary>
 Do not audit attempts to manage user
 home directories.
@@ -109694,7 +110618,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabelto_user_home_dirs" lineno="1989">
+<interface name="userdom_relabelto_user_home_dirs" lineno="1998">
 <summary>
 Relabel to user home directories.
 </summary>
@@ -109704,7 +110628,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_home_filetrans_user_home_dir" lineno="2013">
+<interface name="userdom_home_filetrans_user_home_dir" lineno="2022">
 <summary>
 Create directories in the home dir root with
 the user home directory type.
@@ -109720,7 +110644,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_home_domtrans" lineno="2050">
+<interface name="userdom_user_home_domtrans" lineno="2059">
 <summary>
 Do a domain transition to the specified
 domain when executing a program in the
@@ -109749,7 +110673,7 @@ Domain to transition to.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_search_user_home_content" lineno="2070">
+<interface name="userdom_dontaudit_search_user_home_content" lineno="2079">
 <summary>
 Do not audit attempts to search user home content directories.
 </summary>
@@ -109759,7 +110683,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_list_all_user_home_content" lineno="2088">
+<interface name="userdom_list_all_user_home_content" lineno="2097">
 <summary>
 List all users home content directories.
 </summary>
@@ -109769,7 +110693,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_list_user_home_content" lineno="2107">
+<interface name="userdom_list_user_home_content" lineno="2116">
 <summary>
 List contents of users home directory.
 </summary>
@@ -109779,7 +110703,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_home_content_dirs" lineno="2126">
+<interface name="userdom_manage_user_home_content_dirs" lineno="2135">
 <summary>
 Create, read, write, and delete directories
 in a user home subdirectory.
@@ -109790,7 +110714,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_home_content_dirs" lineno="2145">
+<interface name="userdom_delete_all_user_home_content_dirs" lineno="2154">
 <summary>
 Delete all user home content directories.
 </summary>
@@ -109800,7 +110724,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_home_content_dirs" lineno="2165">
+<interface name="userdom_delete_user_home_content_dirs" lineno="2174">
 <summary>
 Delete directories in a user home subdirectory.
 </summary>
@@ -109810,7 +110734,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_setattr_all_user_home_content_dirs" lineno="2183">
+<interface name="userdom_setattr_all_user_home_content_dirs" lineno="2192">
 <summary>
 Set attributes of all user home content directories.
 </summary>
@@ -109820,7 +110744,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_setattr_user_home_content_files" lineno="2203">
+<interface name="userdom_dontaudit_setattr_user_home_content_files" lineno="2212">
 <summary>
 Do not audit attempts to set the
 attributes of user home files.
@@ -109831,7 +110755,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_map_user_home_content_files" lineno="2221">
+<interface name="userdom_map_user_home_content_files" lineno="2230">
 <summary>
 Map user home files.
 </summary>
@@ -109841,7 +110765,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_mmap_user_home_content_files" lineno="2239">
+<interface name="userdom_mmap_user_home_content_files" lineno="2248">
 <summary>
 Mmap user home files.
 </summary>
@@ -109851,7 +110775,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_read_user_home_content_files" lineno="2258">
+<interface name="userdom_read_user_home_content_files" lineno="2267">
 <summary>
 Read user home files.
 </summary>
@@ -109861,7 +110785,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_read_user_home_content_files" lineno="2277">
+<interface name="userdom_dontaudit_read_user_home_content_files" lineno="2286">
 <summary>
 Do not audit attempts to read user home files.
 </summary>
@@ -109871,7 +110795,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_read_all_user_home_content" lineno="2296">
+<interface name="userdom_read_all_user_home_content" lineno="2305">
 <summary>
 Read all user home content, including application-specific resources.
 </summary>
@@ -109881,7 +110805,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_all_user_home_content" lineno="2318">
+<interface name="userdom_manage_all_user_home_content" lineno="2327">
 <summary>
 Manage all user home content, including application-specific resources.
 </summary>
@@ -109891,7 +110815,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="userdom_map_all_user_home_content_files" lineno="2340">
+<interface name="userdom_map_all_user_home_content_files" lineno="2349">
 <summary>
 Map all user home content, including application-specific resources.
 </summary>
@@ -109901,7 +110825,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_append_user_home_content_files" lineno="2358">
+<interface name="userdom_dontaudit_append_user_home_content_files" lineno="2367">
 <summary>
 Do not audit attempts to append user home files.
 </summary>
@@ -109911,7 +110835,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_write_user_home_content_files" lineno="2376">
+<interface name="userdom_dontaudit_write_user_home_content_files" lineno="2385">
 <summary>
 Do not audit attempts to write user home files.
 </summary>
@@ -109921,7 +110845,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_home_content_files" lineno="2394">
+<interface name="userdom_delete_all_user_home_content_files" lineno="2403">
 <summary>
 Delete all user home content files.
 </summary>
@@ -109931,7 +110855,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_home_content_files" lineno="2414">
+<interface name="userdom_delete_user_home_content_files" lineno="2423">
 <summary>
 Delete files in a user home subdirectory.
 </summary>
@@ -109941,7 +110865,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabel_generic_user_home_dirs" lineno="2432">
+<interface name="userdom_relabel_generic_user_home_dirs" lineno="2441">
 <summary>
 Relabel generic user home dirs.
 </summary>
@@ -109951,7 +110875,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabel_generic_user_home_files" lineno="2450">
+<interface name="userdom_relabel_generic_user_home_files" lineno="2459">
 <summary>
 Relabel generic user home files.
 </summary>
@@ -109961,7 +110885,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_relabel_user_home_content_files" lineno="2468">
+<interface name="userdom_dontaudit_relabel_user_home_content_files" lineno="2477">
 <summary>
 Do not audit attempts to relabel user home files.
 </summary>
@@ -109971,7 +110895,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_read_user_home_content_symlinks" lineno="2486">
+<interface name="userdom_read_user_home_content_symlinks" lineno="2495">
 <summary>
 Read user home subdirectory symbolic links.
 </summary>
@@ -109981,7 +110905,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_exec_user_home_content_files" lineno="2506">
+<interface name="userdom_exec_user_home_content_files" lineno="2515">
 <summary>
 Execute user home files.
 </summary>
@@ -109992,7 +110916,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="userdom_dontaudit_exec_user_home_content_files" lineno="2533">
+<interface name="userdom_dontaudit_exec_user_home_content_files" lineno="2542">
 <summary>
 Do not audit attempts to execute user home files.
 </summary>
@@ -110002,7 +110926,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_home_content_files" lineno="2552">
+<interface name="userdom_manage_user_home_content_files" lineno="2561">
 <summary>
 Create, read, write, and delete files
 in a user home subdirectory.
@@ -110013,7 +110937,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_manage_user_home_content_dirs" lineno="2573">
+<interface name="userdom_dontaudit_manage_user_home_content_dirs" lineno="2582">
 <summary>
 Do not audit attempts to create, read, write, and delete directories
 in a user home subdirectory.
@@ -110024,7 +110948,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_home_content_symlinks" lineno="2592">
+<interface name="userdom_manage_user_home_content_symlinks" lineno="2601">
 <summary>
 Create, read, write, and delete symbolic links
 in a user home subdirectory.
@@ -110035,7 +110959,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_home_content_symlinks" lineno="2612">
+<interface name="userdom_delete_all_user_home_content_symlinks" lineno="2621">
 <summary>
 Delete all user home content symbolic links.
 </summary>
@@ -110045,7 +110969,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_home_content_symlinks" lineno="2632">
+<interface name="userdom_delete_user_home_content_symlinks" lineno="2641">
 <summary>
 Delete symbolic links in a user home directory.
 </summary>
@@ -110055,7 +110979,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_home_content_pipes" lineno="2651">
+<interface name="userdom_manage_user_home_content_pipes" lineno="2660">
 <summary>
 Create, read, write, and delete named pipes
 in a user home subdirectory.
@@ -110066,7 +110990,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_home_content_sockets" lineno="2672">
+<interface name="userdom_manage_user_home_content_sockets" lineno="2681">
 <summary>
 Create, read, write, and delete named sockets
 in a user home subdirectory.
@@ -110077,7 +111001,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_home_dir_filetrans" lineno="2709">
+<interface name="userdom_user_home_dir_filetrans" lineno="2718">
 <summary>
 Create objects in a user home directory
 with an automatic type transition to
@@ -110104,7 +111028,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_home_content_filetrans" lineno="2746">
+<interface name="userdom_user_home_content_filetrans" lineno="2755">
 <summary>
 Create objects in a directory located
 in a user home directory with an
@@ -110132,7 +111056,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_home_dir_filetrans_user_cert" lineno="2777">
+<interface name="userdom_user_home_dir_filetrans_user_cert" lineno="2786">
 <summary>
 Automatically use the user_cert_t label for selected resources
 created in a users home directory
@@ -110153,7 +111077,7 @@ Name of the resource that is being created
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_home_dir_filetrans_user_home_content" lineno="2807">
+<interface name="userdom_user_home_dir_filetrans_user_home_content" lineno="2816">
 <summary>
 Create objects in a user home directory
 with an automatic type transition to
@@ -110175,7 +111099,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_exec_user_bin_files" lineno="2826">
+<interface name="userdom_exec_user_bin_files" lineno="2835">
 <summary>
 Execute user executable files.
 </summary>
@@ -110185,7 +111109,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_bin" lineno="2846">
+<interface name="userdom_manage_user_bin" lineno="2855">
 <summary>
 Manage user executable files.
 </summary>
@@ -110195,7 +111119,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_read_user_certs" lineno="2868">
+<interface name="userdom_read_user_certs" lineno="2877">
 <summary>
 Read user SSL certificates.
 </summary>
@@ -110206,7 +111130,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="userdom_dontaudit_manage_user_certs" lineno="2891">
+<interface name="userdom_dontaudit_manage_user_certs" lineno="2900">
 <summary>
 Do not audit attempts to manage
 the user SSL certificates.
@@ -110218,7 +111142,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="userdom_manage_user_certs" lineno="2911">
+<interface name="userdom_manage_user_certs" lineno="2920">
 <summary>
 Manage user SSL certificates.
 </summary>
@@ -110228,7 +111152,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_write_user_tmp_sockets" lineno="2932">
+<interface name="userdom_write_user_tmp_sockets" lineno="2941">
 <summary>
 Write to user temporary named sockets.
 </summary>
@@ -110238,7 +111162,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_list_user_tmp" lineno="2952">
+<interface name="userdom_list_user_tmp" lineno="2961">
 <summary>
 List user temporary directories.
 </summary>
@@ -110248,7 +111172,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_list_user_tmp" lineno="2974">
+<interface name="userdom_dontaudit_list_user_tmp" lineno="2983">
 <summary>
 Do not audit attempts to list user
 temporary directories.
@@ -110259,7 +111183,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_tmp_dirs" lineno="2992">
+<interface name="userdom_delete_user_tmp_dirs" lineno="3001">
 <summary>
 Delete users temporary directories.
 </summary>
@@ -110269,7 +111193,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_manage_user_tmp_dirs" lineno="3011">
+<interface name="userdom_dontaudit_manage_user_tmp_dirs" lineno="3020">
 <summary>
 Do not audit attempts to manage users
 temporary directories.
@@ -110280,7 +111204,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_read_user_tmp_files" lineno="3029">
+<interface name="userdom_read_user_tmp_files" lineno="3038">
 <summary>
 Read user temporary files.
 </summary>
@@ -110290,7 +111214,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_map_user_tmp_files" lineno="3050">
+<interface name="userdom_map_user_tmp_files" lineno="3059">
 <summary>
 Map user temporary files.
 </summary>
@@ -110300,7 +111224,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_read_user_tmp_files" lineno="3069">
+<interface name="userdom_dontaudit_read_user_tmp_files" lineno="3078">
 <summary>
 Do not audit attempts to read users
 temporary files.
@@ -110311,7 +111235,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_append_user_tmp_files" lineno="3088">
+<interface name="userdom_dontaudit_append_user_tmp_files" lineno="3097">
 <summary>
 Do not audit attempts to append users
 temporary files.
@@ -110322,7 +111246,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_rw_user_tmp_files" lineno="3106">
+<interface name="userdom_rw_user_tmp_files" lineno="3115">
 <summary>
 Read and write user temporary files.
 </summary>
@@ -110332,7 +111256,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_tmp_files" lineno="3127">
+<interface name="userdom_delete_user_tmp_files" lineno="3136">
 <summary>
 Delete users temporary files.
 </summary>
@@ -110342,7 +111266,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_manage_user_tmp_files" lineno="3146">
+<interface name="userdom_dontaudit_manage_user_tmp_files" lineno="3155">
 <summary>
 Do not audit attempts to manage users
 temporary files.
@@ -110353,7 +111277,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_read_user_tmp_symlinks" lineno="3164">
+<interface name="userdom_read_user_tmp_symlinks" lineno="3173">
 <summary>
 Read user temporary symbolic links.
 </summary>
@@ -110363,7 +111287,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_tmp_symlinks" lineno="3185">
+<interface name="userdom_delete_user_tmp_symlinks" lineno="3194">
 <summary>
 Delete users temporary symbolic links.
 </summary>
@@ -110373,7 +111297,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_tmp_dirs" lineno="3204">
+<interface name="userdom_manage_user_tmp_dirs" lineno="3213">
 <summary>
 Create, read, write, and delete user
 temporary directories.
@@ -110384,7 +111308,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_tmp_named_pipes" lineno="3224">
+<interface name="userdom_delete_user_tmp_named_pipes" lineno="3233">
 <summary>
 Delete users temporary named pipes.
 </summary>
@@ -110394,7 +111318,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_tmp_files" lineno="3243">
+<interface name="userdom_manage_user_tmp_files" lineno="3252">
 <summary>
 Create, read, write, and delete user
 temporary files.
@@ -110405,7 +111329,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_tmp_named_sockets" lineno="3263">
+<interface name="userdom_delete_user_tmp_named_sockets" lineno="3272">
 <summary>
 Delete users temporary named sockets.
 </summary>
@@ -110415,7 +111339,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_tmp_symlinks" lineno="3282">
+<interface name="userdom_manage_user_tmp_symlinks" lineno="3291">
 <summary>
 Create, read, write, and delete user
 temporary symbolic links.
@@ -110426,7 +111350,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_rw_user_tmp_pipes" lineno="3303">
+<interface name="userdom_dontaudit_rw_user_tmp_pipes" lineno="3312">
 <summary>
 Do not audit attempts to read and write
 temporary pipes.
@@ -110437,7 +111361,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_tmp_pipes" lineno="3322">
+<interface name="userdom_manage_user_tmp_pipes" lineno="3331">
 <summary>
 Create, read, write, and delete user
 temporary named pipes.
@@ -110448,7 +111372,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_tmp_sockets" lineno="3343">
+<interface name="userdom_manage_user_tmp_sockets" lineno="3352">
 <summary>
 Create, read, write, and delete user
 temporary named sockets.
@@ -110459,7 +111383,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_tmp_filetrans" lineno="3380">
+<interface name="userdom_user_tmp_filetrans" lineno="3389">
 <summary>
 Create objects in a user temporary directory
 with an automatic type transition to
@@ -110486,7 +111410,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_tmp_filetrans_user_tmp" lineno="3412">
+<interface name="userdom_tmp_filetrans_user_tmp" lineno="3421">
 <summary>
 Create objects in the temporary directory
 with an automatic type transition to
@@ -110508,7 +111432,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_map_user_tmpfs_files" lineno="3430">
+<interface name="userdom_map_user_tmpfs_files" lineno="3439">
 <summary>
 Map user tmpfs files.
 </summary>
@@ -110518,7 +111442,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_read_user_tmpfs_files" lineno="3448">
+<interface name="userdom_read_user_tmpfs_files" lineno="3457">
 <summary>
 Read user tmpfs files.
 </summary>
@@ -110528,7 +111452,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_read_user_tmpfs_files" lineno="3468">
+<interface name="userdom_dontaudit_read_user_tmpfs_files" lineno="3477">
 <summary>
 dontaudit Read attempts of user tmpfs files.
 </summary>
@@ -110538,7 +111462,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabel_user_tmpfs_dirs" lineno="3487">
+<interface name="userdom_dontaudit_execute_user_tmpfs_files" lineno="3496">
+<summary>
+dontaudit Execution attempts of user tmpfs files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_relabel_user_tmpfs_dirs" lineno="3514">
 <summary>
 relabel to/from user tmpfs dirs
 </summary>
@@ -110548,7 +111482,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabel_user_tmpfs_files" lineno="3506">
+<interface name="userdom_relabel_user_tmpfs_files" lineno="3533">
 <summary>
 relabel to/from user tmpfs files
 </summary>
@@ -110558,7 +111492,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_runtime_content" lineno="3528">
+<interface name="userdom_user_runtime_content" lineno="3555">
 <summary>
 Make the specified type usable in
 the directory /run/user/%{USERID}/.
@@ -110570,7 +111504,7 @@ user_runtime_content_dir_t.
 </summary>
 </param>
 </interface>
-<interface name="userdom_search_user_runtime" lineno="3548">
+<interface name="userdom_search_user_runtime" lineno="3575">
 <summary>
 Search users runtime directories.
 </summary>
@@ -110580,7 +111514,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_search_user_runtime_root" lineno="3567">
+<interface name="userdom_search_user_runtime_root" lineno="3594">
 <summary>
 Search user runtime root directories.
 </summary>
@@ -110590,7 +111524,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_search_user_runtime_root" lineno="3587">
+<interface name="userdom_dontaudit_search_user_runtime_root" lineno="3614">
 <summary>
 Do not audit attempts to search
 user runtime root directories.
@@ -110601,7 +111535,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_runtime_root_dirs" lineno="3606">
+<interface name="userdom_manage_user_runtime_root_dirs" lineno="3633">
 <summary>
 Create, read, write, and delete user
 runtime root dirs.
@@ -110612,7 +111546,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabel_user_runtime_root_dirs" lineno="3625">
+<interface name="userdom_relabel_user_runtime_root_dirs" lineno="3652">
 <summary>
 Relabel to and from user runtime root dirs.
 </summary>
@@ -110622,7 +111556,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_runtime_dirs" lineno="3644">
+<interface name="userdom_manage_user_runtime_dirs" lineno="3671">
 <summary>
 Create, read, write, and delete user
 runtime dirs.
@@ -110633,7 +111567,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_mounton_user_runtime_dirs" lineno="3664">
+<interface name="userdom_watch_user_runtime_dirs" lineno="3690">
+<summary>
+Watch user runtime dirs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_mounton_user_runtime_dirs" lineno="3710">
 <summary>
 Mount a filesystem on user runtime dir
 directories.
@@ -110644,7 +111588,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabelto_user_runtime_dirs" lineno="3682">
+<interface name="userdom_relabelto_user_runtime_dirs" lineno="3728">
 <summary>
 Relabel to user runtime directories.
 </summary>
@@ -110654,7 +111598,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabelfrom_user_runtime_dirs" lineno="3700">
+<interface name="userdom_relabelfrom_user_runtime_dirs" lineno="3746">
 <summary>
 Relabel from user runtime directories.
 </summary>
@@ -110664,7 +111608,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_write_all_user_runtime_named_sockets" lineno="3718">
+<interface name="userdom_write_all_user_runtime_named_sockets" lineno="3764">
 <summary>
 write user runtime socket files
 </summary>
@@ -110674,7 +111618,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_runtime_files" lineno="3737">
+<interface name="userdom_delete_user_runtime_files" lineno="3783">
 <summary>
 delete user runtime files
 </summary>
@@ -110684,7 +111628,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_search_all_user_runtime" lineno="3756">
+<interface name="userdom_search_all_user_runtime" lineno="3802">
 <summary>
 Search users runtime directories.
 </summary>
@@ -110694,7 +111638,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_list_all_user_runtime" lineno="3775">
+<interface name="userdom_list_all_user_runtime" lineno="3821">
 <summary>
 List user runtime directories.
 </summary>
@@ -110704,7 +111648,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_runtime_dirs" lineno="3794">
+<interface name="userdom_delete_all_user_runtime_dirs" lineno="3840">
 <summary>
 delete user runtime directories
 </summary>
@@ -110714,7 +111658,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_runtime_files" lineno="3812">
+<interface name="userdom_delete_all_user_runtime_files" lineno="3858">
 <summary>
 delete user runtime files
 </summary>
@@ -110724,7 +111668,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_runtime_symlinks" lineno="3830">
+<interface name="userdom_delete_all_user_runtime_symlinks" lineno="3876">
 <summary>
 delete user runtime symlink files
 </summary>
@@ -110734,7 +111678,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_runtime_named_pipes" lineno="3848">
+<interface name="userdom_delete_all_user_runtime_named_pipes" lineno="3894">
 <summary>
 delete user runtime fifo files
 </summary>
@@ -110744,7 +111688,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_runtime_named_sockets" lineno="3866">
+<interface name="userdom_delete_all_user_runtime_named_sockets" lineno="3912">
 <summary>
 delete user runtime socket files
 </summary>
@@ -110754,7 +111698,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_runtime_blk_files" lineno="3884">
+<interface name="userdom_delete_all_user_runtime_blk_files" lineno="3930">
 <summary>
 delete user runtime blk files
 </summary>
@@ -110764,7 +111708,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_runtime_chr_files" lineno="3902">
+<interface name="userdom_delete_all_user_runtime_chr_files" lineno="3948">
 <summary>
 delete user runtime chr files
 </summary>
@@ -110774,7 +111718,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_runtime_filetrans_user_runtime_root" lineno="3932">
+<interface name="userdom_runtime_filetrans_user_runtime_root" lineno="3978">
 <summary>
 Create objects in the runtime directory
 with an automatic type transition to
@@ -110796,7 +111740,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_runtime_filetrans" lineno="3968">
+<interface name="userdom_user_runtime_filetrans" lineno="4014">
 <summary>
 Create objects in a user runtime
 directory with an automatic type
@@ -110824,7 +111768,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_runtime_filetrans_user_tmp" lineno="3999">
+<interface name="userdom_user_runtime_filetrans_user_tmp" lineno="4045">
 <summary>
 Create objects in the user runtime directory
 with an automatic type transition to
@@ -110846,7 +111790,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_runtime_root_filetrans_user_runtime" lineno="4029">
+<interface name="userdom_user_runtime_root_filetrans_user_runtime" lineno="4075">
 <summary>
 Create objects in the user runtime root
 directory with an automatic type transition
@@ -110868,7 +111812,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_run_filetrans_user_runtime" lineno="4060">
+<interface name="userdom_user_run_filetrans_user_runtime" lineno="4106">
 <summary>
 Create objects in the user runtime root
 directory with an automatic type transition
@@ -110890,7 +111834,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_rw_user_tmpfs_files" lineno="4078">
+<interface name="userdom_rw_user_tmpfs_files" lineno="4124">
 <summary>
 Read and write user tmpfs files.
 </summary>
@@ -110900,7 +111844,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_tmpfs_files" lineno="4099">
+<interface name="userdom_delete_user_tmpfs_files" lineno="4145">
 <summary>
 Delete user tmpfs files.
 </summary>
@@ -110910,7 +111854,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_tmpfs_files" lineno="4118">
+<interface name="userdom_manage_user_tmpfs_files" lineno="4164">
 <summary>
 Create, read, write, and delete user tmpfs files.
 </summary>
@@ -110920,7 +111864,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_getattr_user_ttys" lineno="4138">
+<interface name="userdom_getattr_user_ttys" lineno="4184">
 <summary>
 Get the attributes of a user domain tty.
 </summary>
@@ -110930,7 +111874,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_getattr_user_ttys" lineno="4156">
+<interface name="userdom_dontaudit_getattr_user_ttys" lineno="4202">
 <summary>
 Do not audit attempts to get the attributes of a user domain tty.
 </summary>
@@ -110940,7 +111884,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_setattr_user_ttys" lineno="4174">
+<interface name="userdom_setattr_user_ttys" lineno="4220">
 <summary>
 Set the attributes of a user domain tty.
 </summary>
@@ -110950,7 +111894,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_setattr_user_ttys" lineno="4192">
+<interface name="userdom_dontaudit_setattr_user_ttys" lineno="4238">
 <summary>
 Do not audit attempts to set the attributes of a user domain tty.
 </summary>
@@ -110960,7 +111904,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_use_user_ttys" lineno="4210">
+<interface name="userdom_use_user_ttys" lineno="4256">
 <summary>
 Read and write a user domain tty.
 </summary>
@@ -110970,7 +111914,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_use_user_ptys" lineno="4228">
+<interface name="userdom_use_user_ptys" lineno="4274">
 <summary>
 Read and write a user domain pty.
 </summary>
@@ -110980,7 +111924,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_use_inherited_user_terminals" lineno="4263">
+<interface name="userdom_use_inherited_user_terminals" lineno="4309">
 <summary>
 Read and write a user TTYs and PTYs.
 </summary>
@@ -111006,7 +111950,7 @@ Domain allowed access.
 </param>
 <infoflow type="both" weight="10"/>
 </interface>
-<interface name="userdom_use_user_terminals" lineno="4304">
+<interface name="userdom_use_user_terminals" lineno="4350">
 <summary>
 Read, write and open a user TTYs and PTYs.
 </summary>
@@ -111038,7 +111982,7 @@ Domain allowed access.
 </param>
 <infoflow type="both" weight="10"/>
 </interface>
-<interface name="userdom_dontaudit_use_user_terminals" lineno="4320">
+<interface name="userdom_dontaudit_use_user_terminals" lineno="4366">
 <summary>
 Do not audit attempts to read and write
 a user domain tty and pty.
@@ -111049,7 +111993,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_lock_user_terminals" lineno="4339">
+<interface name="userdom_lock_user_terminals" lineno="4385">
 <summary>
 Lock user TTYs and PTYs.
 </summary>
@@ -111059,7 +112003,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_spec_domtrans_all_users" lineno="4360">
+<interface name="userdom_spec_domtrans_all_users" lineno="4406">
 <summary>
 Execute a shell in all user domains.  This
 is an explicit transition, requiring the
@@ -111071,7 +112015,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="userdom_xsession_spec_domtrans_all_users" lineno="4383">
+<interface name="userdom_xsession_spec_domtrans_all_users" lineno="4429">
 <summary>
 Execute an Xserver session in all user domains.  This
 is an explicit transition, requiring the
@@ -111083,7 +112027,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="userdom_spec_domtrans_unpriv_users" lineno="4406">
+<interface name="userdom_spec_domtrans_unpriv_users" lineno="4452">
 <summary>
 Execute a shell in all unprivileged user domains.  This
 is an explicit transition, requiring the
@@ -111095,7 +112039,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="userdom_xsession_spec_domtrans_unpriv_users" lineno="4429">
+<interface name="userdom_xsession_spec_domtrans_unpriv_users" lineno="4475">
 <summary>
 Execute an Xserver session in all unprivileged user domains.  This
 is an explicit transition, requiring the
@@ -111107,7 +112051,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="userdom_rw_unpriv_user_semaphores" lineno="4450">
+<interface name="userdom_rw_unpriv_user_semaphores" lineno="4496">
 <summary>
 Read and write unpriviledged user SysV sempaphores.
 </summary>
@@ -111117,7 +112061,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_unpriv_user_semaphores" lineno="4468">
+<interface name="userdom_manage_unpriv_user_semaphores" lineno="4514">
 <summary>
 Manage unpriviledged user SysV sempaphores.
 </summary>
@@ -111127,7 +112071,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_rw_unpriv_user_shared_mem" lineno="4487">
+<interface name="userdom_rw_unpriv_user_shared_mem" lineno="4533">
 <summary>
 Read and write unpriviledged user SysV shared
 memory segments.
@@ -111138,7 +112082,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_unpriv_user_shared_mem" lineno="4506">
+<interface name="userdom_manage_unpriv_user_shared_mem" lineno="4552">
 <summary>
 Manage unpriviledged user SysV shared
 memory segments.
@@ -111149,7 +112093,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_bin_spec_domtrans_unpriv_users" lineno="4526">
+<interface name="userdom_bin_spec_domtrans_unpriv_users" lineno="4572">
 <summary>
 Execute bin_t in the unprivileged user domains. This
 is an explicit transition, requiring the
@@ -111161,7 +112105,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="userdom_entry_spec_domtrans_unpriv_users" lineno="4549">
+<interface name="userdom_entry_spec_domtrans_unpriv_users" lineno="4595">
 <summary>
 Execute all entrypoint files in unprivileged user
 domains. This is an explicit transition, requiring the
@@ -111173,7 +112117,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_search_user_home_content" lineno="4570">
+<interface name="userdom_search_user_home_content" lineno="4616">
 <summary>
 Search users home directories.
 </summary>
@@ -111183,7 +112127,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_watch_user_home_dirs" lineno="4589">
+<interface name="userdom_watch_user_home_dirs" lineno="4635">
 <summary>
 watch users home directories.
 </summary>
@@ -111193,7 +112137,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_signull_unpriv_users" lineno="4607">
+<interface name="userdom_signull_unpriv_users" lineno="4653">
 <summary>
 Send signull to unprivileged user domains.
 </summary>
@@ -111203,7 +112147,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_signal_unpriv_users" lineno="4625">
+<interface name="userdom_signal_unpriv_users" lineno="4671">
 <summary>
 Send general signals to unprivileged user domains.
 </summary>
@@ -111213,7 +112157,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_use_unpriv_users_fds" lineno="4643">
+<interface name="userdom_use_unpriv_users_fds" lineno="4689">
 <summary>
 Inherit the file descriptors from unprivileged user domains.
 </summary>
@@ -111223,7 +112167,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_use_unpriv_user_fds" lineno="4671">
+<interface name="userdom_dontaudit_use_unpriv_user_fds" lineno="4717">
 <summary>
 Do not audit attempts to inherit the file descriptors
 from unprivileged user domains.
@@ -111243,7 +112187,7 @@ Domain to not audit.
 </param>
 <infoflow type="none"/>
 </interface>
-<interface name="userdom_dontaudit_use_user_ptys" lineno="4689">
+<interface name="userdom_dontaudit_use_user_ptys" lineno="4735">
 <summary>
 Do not audit attempts to use user ptys.
 </summary>
@@ -111253,7 +112197,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabelto_user_ptys" lineno="4707">
+<interface name="userdom_relabelto_user_ptys" lineno="4753">
 <summary>
 Relabel files to unprivileged user pty types.
 </summary>
@@ -111263,7 +112207,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_relabelfrom_user_ptys" lineno="4726">
+<interface name="userdom_dontaudit_relabelfrom_user_ptys" lineno="4772">
 <summary>
 Do not audit attempts to relabel files from
 user pty types.
@@ -111274,7 +112218,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_write_user_tmp_files" lineno="4744">
+<interface name="userdom_write_user_tmp_files" lineno="4790">
 <summary>
 Write all users files in /tmp
 </summary>
@@ -111284,7 +112228,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_write_user_tmp_files" lineno="4763">
+<interface name="userdom_dontaudit_write_user_tmp_files" lineno="4809">
 <summary>
 Do not audit attempts to write users
 temporary files.
@@ -111295,7 +112239,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_use_user_ttys" lineno="4781">
+<interface name="userdom_dontaudit_use_user_ttys" lineno="4827">
 <summary>
 Do not audit attempts to use user ttys.
 </summary>
@@ -111305,7 +112249,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_read_all_users_state" lineno="4799">
+<interface name="userdom_read_all_users_state" lineno="4845">
 <summary>
 Read the process state of all user domains.
 </summary>
@@ -111315,7 +112259,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_getattr_all_users" lineno="4819">
+<interface name="userdom_getattr_all_users" lineno="4865">
 <summary>
 Get the attributes of all user domains.
 </summary>
@@ -111325,7 +112269,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_use_all_users_fds" lineno="4837">
+<interface name="userdom_use_all_users_fds" lineno="4883">
 <summary>
 Inherit the file descriptors from all user domains
 </summary>
@@ -111335,7 +112279,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_use_all_users_fds" lineno="4856">
+<interface name="userdom_dontaudit_use_all_users_fds" lineno="4902">
 <summary>
 Do not audit attempts to inherit the file
 descriptors from any user domains.
@@ -111346,7 +112290,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_signal_all_users" lineno="4874">
+<interface name="userdom_signal_all_users" lineno="4920">
 <summary>
 Send general signals to all user domains.
 </summary>
@@ -111356,7 +112300,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_sigchld_all_users" lineno="4892">
+<interface name="userdom_sigchld_all_users" lineno="4938">
 <summary>
 Send a SIGCHLD signal to all user domains.
 </summary>
@@ -111366,7 +112310,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_read_all_users_keys" lineno="4910">
+<interface name="userdom_read_all_users_keys" lineno="4956">
 <summary>
 Read keys for all user domains.
 </summary>
@@ -111376,7 +112320,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_write_all_users_keys" lineno="4928">
+<interface name="userdom_write_all_users_keys" lineno="4974">
 <summary>
 Write keys for all user domains.
 </summary>
@@ -111386,7 +112330,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_rw_all_users_keys" lineno="4946">
+<interface name="userdom_rw_all_users_keys" lineno="4992">
 <summary>
 Read and write keys for all user domains.
 </summary>
@@ -111396,7 +112340,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_create_all_users_keys" lineno="4964">
+<interface name="userdom_create_all_users_keys" lineno="5010">
 <summary>
 Create keys for all user domains.
 </summary>
@@ -111406,7 +112350,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_all_users_keys" lineno="4982">
+<interface name="userdom_manage_all_users_keys" lineno="5028">
 <summary>
 Manage keys for all user domains.
 </summary>
@@ -111416,7 +112360,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dbus_send_all_users" lineno="5000">
+<interface name="userdom_dbus_send_all_users" lineno="5046">
 <summary>
 Send a dbus message to all user domains.
 </summary>
@@ -111426,7 +112370,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_tmp_chr_files" lineno="5022">
+<interface name="userdom_manage_user_tmp_chr_files" lineno="5068">
 <summary>
 Create, read, write, and delete user
 temporary character files.
@@ -111437,7 +112381,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabel_user_certs" lineno="5043">
+<interface name="userdom_relabel_user_certs" lineno="5089">
 <summary>
 Allow relabeling resources to user_cert_t
 </summary>
@@ -111447,7 +112391,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_rw_all_users_stream_sockets" lineno="5066">
+<interface name="userdom_dontaudit_rw_all_users_stream_sockets" lineno="5112">
 <summary>
 Do not audit attempts to read and write
 unserdomain stream.
diff --git a/policy/booleans.conf b/policy/booleans.conf
index f244d9c51..f38f543fb 100644
--- a/policy/booleans.conf
+++ b/policy/booleans.conf
@@ -28,6 +28,11 @@ secure_mode = false
 # 
 aide_mmap_files = false
 
+#
+# Enable support for cloud-init to manage all non-security files.
+# 
+cloudinit_manage_non_security = false
+
 #
 # Grant the firstboot domains read access to generic user content
 # 
@@ -1590,6 +1595,15 @@ git_client_manage_all_user_home_content = false
 # 
 allow_httpd_git_script_anon_write = false
 
+#
+# Allow the gluster daemon to manage unlabeled
+# objects. This could happen if the underlying
+# gluster brick experiences data corruption
+# and you want to allow gluster to handle
+# files with corrupted or missing xattrs.
+# 
+glusterfs_manage_unlabeled = false
+
 #
 # Allow the gluster daemon to automatically
 # add and remove file contexts from the local
diff --git a/policy/modules.conf b/policy/modules.conf
index 8741c1eb5..07319bbe4 100644
--- a/policy/modules.conf
+++ b/policy/modules.conf
@@ -1288,6 +1288,13 @@ clamav = module
 # 
 cobbler = module
 
+# Layer: services
+# Module: cockpit
+#
+# Cockpit web management system for Linux
+# 
+cockpit = module
+
 # Layer: services
 # Module: collectd
 #