little misc strict from Russell Coker.

policy/modules/admin/usermanage.te

@@ -1,4 +1,4 @@
-policy_module(usermanage, 1.20.1)
+policy_module(usermanage, 1.20.2)
 
 ########################################
 #
@@ -189,7 +189,7 @@ optional_policy(`
 # Groupadd local policy
 #
 
-allow groupadd_t self:capability { audit_write chown dac_override kill setuid sys_resource };
+allow groupadd_t self:capability { audit_write chown dac_override fsetid kill setuid sys_resource };
 dontaudit groupadd_t self:capability { fsetid sys_tty_config };
 allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow groupadd_t self:process { setrlimit setfscreate };

policy/modules/roles/sysadm.te

@@ -1,4 +1,4 @@
-policy_module(sysadm, 2.11.5)
+policy_module(sysadm, 2.11.6)
 
 ########################################
 #
@@ -40,6 +40,8 @@ ubac_fd_exempt(sysadm_t)
 init_exec(sysadm_t)
 init_admin(sysadm_t)
 
+selinux_read_policy(sysadm_t)
+
 # Add/remove user home directories
 userdom_manage_user_home_dirs(sysadm_t)
 userdom_home_filetrans_user_home_dir(sysadm_t)

policy/modules/services/xserver.te

@@ -1,4 +1,4 @@
-policy_module(xserver, 3.13.11)
+policy_module(xserver, 3.13.12)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;
@@ -273,7 +273,8 @@ manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
 files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
 
 allow xdm_t xauth_home_t:file manage_file_perms;
-userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
+userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, ".Xauthority")
+userdom_user_home_dir_filetrans_user_home_content(xdm_t, file, ".xsession-errors")
 
 allow xauth_t xdm_t:process sigchld;
 allow xauth_t xdm_t:fd use;

policy/modules/system/fstools.te

@@ -1,4 +1,4 @@
-policy_module(fstools, 1.20.6)
+policy_module(fstools, 1.20.7)
 
 ########################################
 #
@@ -134,6 +134,8 @@ files_search_all(fsadm_t)
 mls_file_read_all_levels(fsadm_t)
 mls_file_write_all_levels(fsadm_t)
 
+selinux_getattr_fs(fsadm_t)
+
 storage_raw_read_fixed_disk(fsadm_t)
 storage_raw_write_fixed_disk(fsadm_t)
 storage_raw_read_removable_device(fsadm_t)

policy/modules/system/selinuxutil.te

@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.22.8)
+policy_module(selinuxutil, 1.22.9)
 
 gen_require(`
 	bool secure_mode;
@@ -171,6 +171,8 @@ allow load_policy_t self:capability dac_override;
 # only allow read of policy config files
 read_files_pattern(load_policy_t, { policy_src_t policy_config_t }, policy_config_t)
 
+dev_read_urand(load_policy_t)
+
 domain_use_interactive_fds(load_policy_t)
 
 # for mcs.conf
@@ -358,6 +360,7 @@ fs_getattr_pstore_dirs(restorecond_t)
 fs_getattr_tracefs(restorecond_t)
 fs_list_inotifyfs(restorecond_t)
 fs_relabelfrom_noxattr_fs(restorecond_t)
+fs_getattr_pstorefs(restorecond_t)
 
 selinux_validate_context(restorecond_t)
 selinux_compute_access_vector(restorecond_t)
@@ -488,6 +491,7 @@ kernel_read_system_state(semanage_t)
 kernel_read_kernel_sysctls(semanage_t)
 
 corecmd_exec_bin(semanage_t)
+corecmd_exec_shell(semanage_t)
 
 dev_read_urand(semanage_t)
 
@@ -590,6 +594,7 @@ files_read_usr_symlinks(setfiles_t)
 files_dontaudit_read_all_symlinks(setfiles_t)
 
 fs_getattr_all_xattr_fs(setfiles_t)
+fs_getattr_nfs(setfiles_t)
 fs_getattr_pstore_dirs(setfiles_t)
 fs_getattr_pstorefs(setfiles_t)
 fs_getattr_tracefs(setfiles_t)