From 1ba0a986f6f7a8c6960a1643878498c68659573b Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Aug 18 2015 08:39:06 +0000
Subject: * Tue Aug 18 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-142

- Allow samba_net_t to manage samba_var_t sock files.
- Allow httpd daemon to manage httpd_var_lib_t lnk_files.
- Allow collectd stream connect to pdns.(BZ #1191044)
- Add interface pdns_stream_connect()
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Allow chronyd exec systemctl
- Merge pull request #30 from vmojzis/rawhide-contrib
- Hsqldb policy upgrade -Allow sock_file management
- Add inteface chronyd_signal Allow timemaster_t send generic signals to chronyd_t.
- Hsqldb policy upgrade.  -Disallow hsqldb_tmp_t link_file management
- Hsqldb policy upgrade:  -Remove tmp link_file transition  -Add policy summary  -Remove redundant parameter for "hsqldb_admin" interface
- Label /var/run/chrony-helper dir as chronyd_var_run_t.
- Allow lldpad_t to getattr tmpfs_t. Label /dev/shm/lldpad.* as lldapd_tmpfs_t
- Fix label on /var/tmp/kiprop_0
- Add mountpoint dontaudit access check in rhsmcertd policy.
- Allow pcp_domain to manage pcp_var_lib_t lnk_files.
- Allow chronyd to execute mkdir command.
- Allow chronyd_t to read dhcpc state.
- Label /usr/libexec/chrony-helper as chronyd_exec_t
- Allow openhpid liboa_soap plugin to read resolv.conf file.
- Allow openhpid liboa_soap plugin to read generic certs.
- Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device)
- Allow logrotate to reload services.
- Allow apcupsd_t to read /sys/devices
- Allow kpropd to connect to kropd tcp port.
- Allow systemd_networkd to send logs to syslog.
- Added interface fs_dontaudit_write_configfs_dirs
- Allow audisp client to read system state.
- Label /var/run/xtables.lock as iptables_var_run_t.
-  Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde
- Add interface to read/write watchdog device.
- Add transition rule for iptables_var_lib_t

---

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 619e58c..bd4d1a9 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -14499,7 +14499,7 @@ index d7c11a0..6b3331d 100644
  /var/run/shm/.*			<<none>>
 -')
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..cd82082 100644
+index 8416beb..f1378d6 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
 @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -14737,7 +14737,7 @@ index 8416beb..cd82082 100644
  ')
  
  ########################################
-@@ -1542,6 +1666,44 @@ interface(`fs_cifs_domtrans',`
+@@ -1542,6 +1666,63 @@ interface(`fs_cifs_domtrans',`
  	domain_auto_transition_pattern($1, cifs_t, $2)
  ')
  
@@ -14779,10 +14779,29 @@ index 8416beb..cd82082 100644
 +    allow $1 cifs_t:file entrypoint;
 +')
 +
++#######################################
++## <summary>
++##	dontaudit write dirs
++##	on a configfs filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_dontaudit_write_configfs_dirs',`
++	gen_require(`
++		type configfs_t;
++	')
++
++	dontaudit $1 configfs_t:dir write;
++')
++
  #######################################
  ## <summary>
  ##	Create, read, write, and delete dirs
-@@ -1582,6 +1744,24 @@ interface(`fs_manage_configfs_files',`
+@@ -1582,6 +1763,24 @@ interface(`fs_manage_configfs_files',`
  
  ########################################
  ## <summary>
@@ -14807,7 +14826,7 @@ index 8416beb..cd82082 100644
  ##	Mount a DOS filesystem, such as
  ##	FAT32 or NTFS.
  ## </summary>
-@@ -1793,63 +1973,70 @@ interface(`fs_read_eventpollfs',`
+@@ -1793,63 +1992,70 @@ interface(`fs_read_eventpollfs',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
  
@@ -14903,7 +14922,7 @@ index 8416beb..cd82082 100644
  ##	on a FUSEFS filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -1859,18 +2046,19 @@ interface(`fs_mounton_fusefs',`
+@@ -1859,18 +2065,19 @@ interface(`fs_mounton_fusefs',`
  ## </param>
  ## <rolecap/>
  #
@@ -14928,7 +14947,7 @@ index 8416beb..cd82082 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1878,135 +2066,151 @@ interface(`fs_search_fusefs',`
+@@ -1878,135 +2085,151 @@ interface(`fs_search_fusefs',`
  ##	</summary>
  ## </param>
  #
@@ -15123,7 +15142,7 @@ index 8416beb..cd82082 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2014,19 +2218,440 @@ interface(`fs_dontaudit_manage_fusefs_files',`
+@@ -2014,145 +2237,194 @@ interface(`fs_dontaudit_manage_fusefs_files',`
  ##	</summary>
  ## </param>
  #
@@ -15144,24 +15163,28 @@ index 8416beb..cd82082 100644
 -##	filesystem.
 +##	Search directories
 +##	on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
 +## <rolecap/>
-+#
+ #
+-interface(`fs_getattr_hugetlbfs',`
 +interface(`fs_search_fusefs',`
-+	gen_require(`
+ 	gen_require(`
+-		type hugetlbfs_t;
 +		type fusefs_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 hugetlbfs_t:filesystem getattr;
 +	allow $1 fusefs_t:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List hugetlbfs.
 +##	Do not audit attempts to list the contents
 +##	of directories on a FUSEFS filesystem.
 +## </summary>
@@ -15183,24 +15206,28 @@ index 8416beb..cd82082 100644
 +## <summary>
 +##	Create, read, write, and delete directories
 +##	on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
 +## <rolecap/>
-+#
+ #
+-interface(`fs_list_hugetlbfs',`
 +interface(`fs_manage_fusefs_dirs',`
-+	gen_require(`
+ 	gen_require(`
+-		type hugetlbfs_t;
 +		type fusefs_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 hugetlbfs_t:dir list_dir_perms;
 +	allow $1 fusefs_t:dir manage_dir_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Manage hugetlbfs dirs.
 +##	Do not audit attempts to create, read,
 +##	write, and delete directories
 +##	on a FUSEFS filesystem.
@@ -15222,128 +15249,157 @@ index 8416beb..cd82082 100644
 +########################################
 +## <summary>
 +##	Read, a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
 +## <rolecap/>
-+#
+ #
+-interface(`fs_manage_hugetlbfs_dirs',`
 +interface(`fs_read_fusefs_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type hugetlbfs_t;
 +		type fusefs_t;
-+	')
-+
+ 	')
+ 
+-	manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
 +	read_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read and write hugetlbfs files.
 +##	Execute files on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
 +## <rolecap/>
-+#
+ #
+-interface(`fs_rw_hugetlbfs_files',`
 +interface(`fs_exec_fusefs_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type hugetlbfs_t;
 +		type fusefs_t;
-+	')
-+
+ 	')
+ 
+-	rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
 +	exec_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Allow the type to associate to hugetlbfs filesystems.
 +##	Make general progams in FUSEFS an entrypoint for
 +##	the specified domain.
-+## </summary>
+ ## </summary>
+-## <param name="type">
 +## <param name="domain">
-+##	<summary>
+ ##	<summary>
+-##	The type of the object to be associated.
 +##	The domain for which fusefs_t is an entrypoint.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_associate_hugetlbfs',`
 +interface(`fs_fusefs_entry_type',`
-+	gen_require(`
+ 	gen_require(`
+-		type hugetlbfs_t;
 +		type fusefs_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 hugetlbfs_t:filesystem associate;
 +	domain_entry_file($1, fusefs_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search inotifyfs filesystem.
 +##	Make general progams in FUSEFS an entrypoint for
 +##	the specified domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	The domain for which fusefs_t is an entrypoint.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_search_inotifyfs',`
 +interface(`fs_fusefs_entrypoint',`
-+	gen_require(`
+ 	gen_require(`
+-		type inotifyfs_t;
 +		type fusefs_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 inotifyfs_t:dir search_dir_perms;
 +    allow $1 fusefs_t:file entrypoint;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List inotifyfs filesystem.
 +##	Create, read, write, and delete files
 +##	on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
 +## <rolecap/>
-+#
+ #
+-interface(`fs_list_inotifyfs',`
 +interface(`fs_manage_fusefs_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type inotifyfs_t;
 +		type fusefs_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 inotifyfs_t:dir list_dir_perms;
 +	manage_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Dontaudit List inotifyfs filesystem.
 +##	Do not audit attempts to create,
 +##	read, write, and delete files
 +##	on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -2160,53 +2432,626 @@ interface(`fs_list_inotifyfs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_dontaudit_list_inotifyfs',`
 +interface(`fs_dontaudit_manage_fusefs_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type inotifyfs_t;
 +		type fusefs_t;
-+	')
-+
+ 	')
+ 
+-	dontaudit $1 inotifyfs_t:dir list_dir_perms;
 +	dontaudit $1 fusefs_t:file manage_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create an object in a hugetlbfs filesystem, with a private
+-##	type using a type transition.
 +##	Read symbolic links on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="private type">
 +#
 +interface(`fs_read_fusefs_symlinks',`
 +	gen_require(`
@@ -15359,10 +15415,12 @@ index 8416beb..cd82082 100644
 +##	Manage symbolic links on a FUSEFS filesystem.
 +## </summary>
 +## <param name="domain">
-+##	<summary>
+ ##	<summary>
+-##	The type of the object to be created.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
+-## <param name="object">
 +#
 +interface(`fs_manage_fusefs_symlinks',`
 +	gen_require(`
@@ -15397,12 +15455,15 @@ index 8416beb..cd82082 100644
 +##	</p>
 +## </desc>
 +## <param name="domain">
-+##	<summary>
+ ##	<summary>
+-##	The object class of the object being created.
 +##	Domain allowed to transition.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
+-## <param name="name" optional="true">
 +## <param name="target_domain">
-+##	<summary>
+ ##	<summary>
+-##	The name of the object being created.
 +##	The type of the new process.
 +##	</summary>
 +## </param>
@@ -15566,50 +15627,42 @@ index 8416beb..cd82082 100644
 +########################################
 +## <summary>
 +##	Search inotifyfs filesystem.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2034,17 +2659,17 @@ interface(`fs_read_fusefs_symlinks',`
- ##	</summary>
- ## </param>
- #
--interface(`fs_getattr_hugetlbfs',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`fs_search_inotifyfs',`
- 	gen_require(`
--		type hugetlbfs_t;
++	gen_require(`
 +		type inotifyfs_t;
- 	')
- 
--	allow $1 hugetlbfs_t:filesystem getattr;
++	')
++
 +	allow $1 inotifyfs_t:dir search_dir_perms;
- ')
- 
- ########################################
- ## <summary>
--##	List hugetlbfs.
++')
++
++########################################
++## <summary>
 +##	List inotifyfs filesystem.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2052,35 +2677,72 @@ interface(`fs_getattr_hugetlbfs',`
- ##	</summary>
- ## </param>
- #
--interface(`fs_list_hugetlbfs',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`fs_list_inotifyfs',`
- 	gen_require(`
--		type hugetlbfs_t;
++	gen_require(`
 +		type inotifyfs_t;
- 	')
- 
--	allow $1 hugetlbfs_t:dir list_dir_perms;
++	')
++
 +	allow $1 inotifyfs_t:dir list_dir_perms;
 +	fs_read_anon_inodefs_files($1)
- ')
- 
- ########################################
- ## <summary>
--##	Manage hugetlbfs dirs.
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to list inotifyfs filesystem.
 +## </summary>
 +## <param name="domain">
@@ -15630,12 +15683,12 @@ index 8416beb..cd82082 100644
 +## <summary>
 +##	Create an object in a hugetlbfs filesystem, with a private
 +##	type using a type transition.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +## <param name="private type">
 +##	<summary>
 +##	The type of the object to be created.
@@ -15651,152 +15704,124 @@ index 8416beb..cd82082 100644
 +##	The name of the object being created.
 +##	</summary>
 +## </param>
- #
--interface(`fs_manage_hugetlbfs_dirs',`
++#
 +interface(`fs_hugetlbfs_filetrans',`
- 	gen_require(`
- 		type hugetlbfs_t;
- 	')
- 
--	manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
++	gen_require(`
++		type hugetlbfs_t;
++	')
++
 +	allow $2 hugetlbfs_t:filesystem associate;
 +	filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
- ')
- 
- ########################################
- ## <summary>
--##	Read and write hugetlbfs files.
++')
++
++########################################
++## <summary>
 +##	Mount an iso9660 filesystem, which
 +##	is usually used on CDs.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2088,35 +2750,38 @@ interface(`fs_manage_hugetlbfs_dirs',`
- ##	</summary>
- ## </param>
- #
--interface(`fs_rw_hugetlbfs_files',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`fs_mount_iso9660_fs',`
- 	gen_require(`
--		type hugetlbfs_t;
++	gen_require(`
 +		type iso9660_t;
- 	')
- 
--	rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
++	')
++
 +	allow $1 iso9660_t:filesystem mount;
- ')
- 
- ########################################
- ## <summary>
--##	Allow the type to associate to hugetlbfs filesystems.
++')
++
++########################################
++## <summary>
 +##	Remount an iso9660 filesystem, which
 +##	is usually used on CDs.  This allows
 +##	some mount options to be changed.
- ## </summary>
--## <param name="type">
++## </summary>
 +## <param name="domain">
- ##	<summary>
--##	The type of the object to be associated.
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`fs_associate_hugetlbfs',`
++##	</summary>
++## </param>
++#
 +interface(`fs_remount_iso9660_fs',`
- 	gen_require(`
--		type hugetlbfs_t;
++	gen_require(`
 +		type iso9660_t;
- 	')
- 
--	allow $1 hugetlbfs_t:filesystem associate;
++	')
++
 +	allow $1 iso9660_t:filesystem remount;
- ')
- 
- ########################################
- ## <summary>
--##	Search inotifyfs filesystem.
++')
++
++########################################
++## <summary>
 +##	Unmount an iso9660 filesystem, which
 +##	is usually used on CDs.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2124,89 +2789,250 @@ interface(`fs_associate_hugetlbfs',`
- ##	</summary>
- ## </param>
- #
--interface(`fs_search_inotifyfs',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`fs_unmount_iso9660_fs',`
- 	gen_require(`
--		type inotifyfs_t;
++	gen_require(`
 +		type iso9660_t;
- 	')
- 
--	allow $1 inotifyfs_t:dir search_dir_perms;
++	')
++
 +	allow $1 iso9660_t:filesystem unmount;
- ')
- 
- ########################################
- ## <summary>
--##	List inotifyfs filesystem.
++')
++
++########################################
++## <summary>
 +##	Get the attributes of an iso9660
 +##	filesystem, which is usually used on CDs.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +## <rolecap/>
- #
--interface(`fs_list_inotifyfs',`
++#
 +interface(`fs_getattr_iso9660_fs',`
- 	gen_require(`
--		type inotifyfs_t;
++	gen_require(`
 +		type iso9660_t;
- 	')
- 
--	allow $1 inotifyfs_t:dir list_dir_perms;
++	')
++
 +	allow $1 iso9660_t:filesystem getattr;
- ')
- 
- ########################################
- ## <summary>
--##	Dontaudit List inotifyfs filesystem.
++')
++
++########################################
++## <summary>
 +##	Read files on an iso9660 filesystem, which
 +##	is usually used on CDs.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`fs_dontaudit_list_inotifyfs',`
++##	</summary>
++## </param>
++#
 +interface(`fs_getattr_iso9660_files',`
- 	gen_require(`
--		type inotifyfs_t;
++	gen_require(`
 +		type iso9660_t;
- 	')
- 
--	dontaudit $1 inotifyfs_t:dir list_dir_perms;
++	')
++
 +	allow $1 iso9660_t:dir list_dir_perms;
 +	allow $1 iso9660_t:file getattr;
- ')
- 
- ########################################
- ## <summary>
--##	Create an object in a hugetlbfs filesystem, with a private
--##	type using a type transition.
++')
++
++########################################
++## <summary>
 +##	Read files on an iso9660 filesystem, which
 +##	is usually used on CDs.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <param name="private type">
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +#
 +interface(`fs_read_iso9660_files',`
 +	gen_require(`
@@ -15814,12 +15839,10 @@ index 8416beb..cd82082 100644
 +##	Mount kdbus filesystems.
 +## </summary>
 +## <param name="domain">
- ##	<summary>
--##	The type of the object to be created.
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <param name="object">
++##	</summary>
++## </param>
 +#
 +interface(`fs_mount_kdbus', `
 +	gen_require(`
@@ -15834,12 +15857,10 @@ index 8416beb..cd82082 100644
 +##	Remount kdbus filesystems.
 +## </summary>
 +## <param name="domain">
- ##	<summary>
--##	The object class of the object being created.
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <param name="name" optional="true">
++##	</summary>
++## </param>
 +#
 +interface(`fs_remount_kdbus', `
 +	gen_require(`
@@ -15854,8 +15875,7 @@ index 8416beb..cd82082 100644
 +##	Unmount kdbus filesystems.
 +## </summary>
 +## <param name="domain">
- ##	<summary>
--##	The name of the object being created.
++##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
@@ -15997,7 +16017,7 @@ index 8416beb..cd82082 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2214,19 +3040,19 @@ interface(`fs_hugetlbfs_filetrans',`
+@@ -2214,19 +3059,19 @@ interface(`fs_hugetlbfs_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -16024,7 +16044,7 @@ index 8416beb..cd82082 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2234,18 +3060,21 @@ interface(`fs_mount_iso9660_fs',`
+@@ -2234,18 +3079,21 @@ interface(`fs_mount_iso9660_fs',`
  ##	</summary>
  ## </param>
  #
@@ -16051,7 +16071,7 @@ index 8416beb..cd82082 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2253,38 +3082,61 @@ interface(`fs_remount_iso9660_fs',`
+@@ -2253,38 +3101,61 @@ interface(`fs_remount_iso9660_fs',`
  ##	</summary>
  ## </param>
  #
@@ -16124,7 +16144,7 @@ index 8416beb..cd82082 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2292,19 +3144,21 @@ interface(`fs_getattr_iso9660_fs',`
+@@ -2292,19 +3163,21 @@ interface(`fs_getattr_iso9660_fs',`
  ##	</summary>
  ## </param>
  #
@@ -16152,7 +16172,7 @@ index 8416beb..cd82082 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2312,16 +3166,15 @@ interface(`fs_getattr_iso9660_files',`
+@@ -2312,16 +3185,15 @@ interface(`fs_getattr_iso9660_files',`
  ##	</summary>
  ## </param>
  #
@@ -16173,7 +16193,7 @@ index 8416beb..cd82082 100644
  ########################################
  ## <summary>
  ##	Mount a NFS filesystem.
-@@ -2398,6 +3251,24 @@ interface(`fs_getattr_nfs',`
+@@ -2398,6 +3270,24 @@ interface(`fs_getattr_nfs',`
  
  ########################################
  ## <summary>
@@ -16198,7 +16218,7 @@ index 8416beb..cd82082 100644
  ##	Search directories on a NFS filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -2485,6 +3356,7 @@ interface(`fs_read_nfs_files',`
+@@ -2485,6 +3375,7 @@ interface(`fs_read_nfs_files',`
  		type nfs_t;
  	')
  
@@ -16206,7 +16226,7 @@ index 8416beb..cd82082 100644
  	allow $1 nfs_t:dir list_dir_perms;
  	read_files_pattern($1, nfs_t, nfs_t)
  ')
-@@ -2523,6 +3395,7 @@ interface(`fs_write_nfs_files',`
+@@ -2523,6 +3414,7 @@ interface(`fs_write_nfs_files',`
  		type nfs_t;
  	')
  
@@ -16214,7 +16234,7 @@ index 8416beb..cd82082 100644
  	allow $1 nfs_t:dir list_dir_perms;
  	write_files_pattern($1, nfs_t, nfs_t)
  ')
-@@ -2549,6 +3422,44 @@ interface(`fs_exec_nfs_files',`
+@@ -2549,6 +3441,44 @@ interface(`fs_exec_nfs_files',`
  
  ########################################
  ## <summary>
@@ -16259,7 +16279,7 @@ index 8416beb..cd82082 100644
  ##	Append files
  ##	on a NFS filesystem.
  ## </summary>
-@@ -2569,7 +3480,7 @@ interface(`fs_append_nfs_files',`
+@@ -2569,7 +3499,7 @@ interface(`fs_append_nfs_files',`
  
  ########################################
  ## <summary>
@@ -16268,7 +16288,7 @@ index 8416beb..cd82082 100644
  ##	on a NFS filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -2589,6 +3500,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2589,6 +3519,42 @@ interface(`fs_dontaudit_append_nfs_files',`
  
  ########################################
  ## <summary>
@@ -16311,7 +16331,7 @@ index 8416beb..cd82082 100644
  ##	Do not audit attempts to read or
  ##	write files on a NFS filesystem.
  ## </summary>
-@@ -2603,7 +3550,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2603,7 +3569,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
  		type nfs_t;
  	')
  
@@ -16320,7 +16340,7 @@ index 8416beb..cd82082 100644
  ')
  
  ########################################
-@@ -2627,7 +3574,7 @@ interface(`fs_read_nfs_symlinks',`
+@@ -2627,7 +3593,7 @@ interface(`fs_read_nfs_symlinks',`
  
  ########################################
  ## <summary>
@@ -16329,7 +16349,7 @@ index 8416beb..cd82082 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2719,6 +3666,47 @@ interface(`fs_search_rpc',`
+@@ -2719,6 +3685,47 @@ interface(`fs_search_rpc',`
  
  ########################################
  ## <summary>
@@ -16377,7 +16397,7 @@ index 8416beb..cd82082 100644
  ##	Search removable storage directories.
  ## </summary>
  ## <param name="domain">
-@@ -2741,7 +3729,7 @@ interface(`fs_search_removable',`
+@@ -2741,7 +3748,7 @@ interface(`fs_search_removable',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -16386,7 +16406,7 @@ index 8416beb..cd82082 100644
  ##	</summary>
  ## </param>
  #
-@@ -2777,7 +3765,7 @@ interface(`fs_read_removable_files',`
+@@ -2777,7 +3784,7 @@ interface(`fs_read_removable_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -16395,7 +16415,7 @@ index 8416beb..cd82082 100644
  ##	</summary>
  ## </param>
  #
-@@ -2970,6 +3958,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +3977,7 @@ interface(`fs_manage_nfs_dirs',`
  		type nfs_t;
  	')
  
@@ -16403,7 +16423,7 @@ index 8416beb..cd82082 100644
  	allow $1 nfs_t:dir manage_dir_perms;
  ')
  
-@@ -3010,6 +3999,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,6 +4018,7 @@ interface(`fs_manage_nfs_files',`
  		type nfs_t;
  	')
  
@@ -16411,7 +16431,7 @@ index 8416beb..cd82082 100644
  	manage_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3050,6 +4040,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3050,6 +4059,7 @@ interface(`fs_manage_nfs_symlinks',`
  		type nfs_t;
  	')
  
@@ -16419,7 +16439,7 @@ index 8416beb..cd82082 100644
  	manage_lnk_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3137,6 +4128,24 @@ interface(`fs_nfs_domtrans',`
+@@ -3137,6 +4147,24 @@ interface(`fs_nfs_domtrans',`
  
  ########################################
  ## <summary>
@@ -16444,7 +16464,7 @@ index 8416beb..cd82082 100644
  ##	Mount a NFS server pseudo filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -3263,6 +4272,24 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3263,6 +4291,24 @@ interface(`fs_getattr_nfsd_files',`
  	getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
  ')
  
@@ -16469,7 +16489,7 @@ index 8416beb..cd82082 100644
  ########################################
  ## <summary>
  ##	Read and write NFS server files.
-@@ -3283,6 +4310,24 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3283,6 +4329,24 @@ interface(`fs_rw_nfsd_fs',`
  
  ########################################
  ## <summary>
@@ -16494,7 +16514,7 @@ index 8416beb..cd82082 100644
  ##	Allow the type to associate to ramfs filesystems.
  ## </summary>
  ## <param name="type">
-@@ -3392,7 +4437,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +4456,7 @@ interface(`fs_search_ramfs',`
  
  ########################################
  ## <summary>
@@ -16503,7 +16523,7 @@ index 8416beb..cd82082 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3429,7 +4474,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4493,7 @@ interface(`fs_manage_ramfs_dirs',`
  
  ########################################
  ## <summary>
@@ -16512,7 +16532,7 @@ index 8416beb..cd82082 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3447,7 +4492,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4511,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
  
  ########################################
  ## <summary>
@@ -16521,7 +16541,7 @@ index 8416beb..cd82082 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3743,25 +4788,61 @@ interface(`fs_getattr_rpc_pipefs',`
+@@ -3743,25 +4807,61 @@ interface(`fs_getattr_rpc_pipefs',`
  
  #########################################
  ## <summary>
@@ -16589,7 +16609,7 @@ index 8416beb..cd82082 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3769,17 +4850,17 @@ interface(`fs_rw_rpc_named_pipes',`
+@@ -3769,17 +4869,17 @@ interface(`fs_rw_rpc_named_pipes',`
  ##	</summary>
  ## </param>
  #
@@ -16610,7 +16630,7 @@ index 8416beb..cd82082 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3787,17 +4868,17 @@ interface(`fs_mount_tmpfs',`
+@@ -3787,17 +4887,17 @@ interface(`fs_mount_tmpfs',`
  ##	</summary>
  ## </param>
  #
@@ -16631,7 +16651,7 @@ index 8416beb..cd82082 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3805,12 +4886,12 @@ interface(`fs_remount_tmpfs',`
+@@ -3805,12 +4905,12 @@ interface(`fs_remount_tmpfs',`
  ##	</summary>
  ## </param>
  #
@@ -16646,7 +16666,7 @@ index 8416beb..cd82082 100644
  ')
  
  ########################################
-@@ -3908,7 +4989,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3908,7 +5008,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
  
  ########################################
  ## <summary>
@@ -16655,7 +16675,7 @@ index 8416beb..cd82082 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3916,17 +4997,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,17 +5016,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -16676,7 +16696,7 @@ index 8416beb..cd82082 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3934,17 +5015,17 @@ interface(`fs_mounton_tmpfs',`
+@@ -3934,17 +5034,17 @@ interface(`fs_mounton_tmpfs',`
  ##	</summary>
  ## </param>
  #
@@ -16697,7 +16717,7 @@ index 8416beb..cd82082 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3952,17 +5033,36 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +5052,36 @@ interface(`fs_setattr_tmpfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -16737,7 +16757,7 @@ index 8416beb..cd82082 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3970,31 +5070,48 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +5089,48 @@ interface(`fs_search_tmpfs',`
  ##	</summary>
  ## </param>
  #
@@ -16793,7 +16813,7 @@ index 8416beb..cd82082 100644
  ')
  
  ########################################
-@@ -4105,7 +5222,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4105,7 +5241,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
  		type tmpfs_t;
  	')
  
@@ -16802,7 +16822,7 @@ index 8416beb..cd82082 100644
  ')
  
  ########################################
-@@ -4165,6 +5282,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4165,6 +5301,24 @@ interface(`fs_rw_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -16827,7 +16847,7 @@ index 8416beb..cd82082 100644
  ##	Read tmpfs link files.
  ## </summary>
  ## <param name="domain">
-@@ -4202,7 +5337,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+@@ -4202,7 +5356,7 @@ interface(`fs_rw_tmpfs_chr_files',`
  
  ########################################
  ## <summary>
@@ -16836,7 +16856,7 @@ index 8416beb..cd82082 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4221,6 +5356,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4221,6 +5375,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
  
  ########################################
  ## <summary>
@@ -16897,7 +16917,7 @@ index 8416beb..cd82082 100644
  ##	Relabel character nodes on tmpfs filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -4278,6 +5467,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4278,6 +5486,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
  
  ########################################
  ## <summary>
@@ -16942,7 +16962,7 @@ index 8416beb..cd82082 100644
  ##	Read and write, create and delete generic
  ##	files on tmpfs filesystems.
  ## </summary>
-@@ -4297,6 +5524,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4297,6 +5543,25 @@ interface(`fs_manage_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -16968,7 +16988,7 @@ index 8416beb..cd82082 100644
  ##	Read and write, create and delete symbolic
  ##	links on tmpfs filesystems.
  ## </summary>
-@@ -4503,6 +5749,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +5768,8 @@ interface(`fs_mount_all_fs',`
  	')
  
  	allow $1 filesystem_type:filesystem mount;
@@ -16977,7 +16997,7 @@ index 8416beb..cd82082 100644
  ')
  
  ########################################
-@@ -4549,7 +5797,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +5816,7 @@ interface(`fs_unmount_all_fs',`
  ## <desc>
  ##	<p>
  ##	Allow the specified domain to
@@ -16986,7 +17006,7 @@ index 8416beb..cd82082 100644
  ##	Example attributes:
  ##	</p>
  ##	<ul>
-@@ -4596,6 +5844,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +5863,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
  
  ########################################
  ## <summary>
@@ -17013,7 +17033,7 @@ index 8416beb..cd82082 100644
  ##	Get the quotas of all filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -4671,6 +5939,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +5958,25 @@ interface(`fs_getattr_all_dirs',`
  
  ########################################
  ## <summary>
@@ -17039,7 +17059,7 @@ index 8416beb..cd82082 100644
  ##	Search all directories with a filesystem type.
  ## </summary>
  ## <param name="domain">
-@@ -4912,3 +6199,43 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6218,43 @@ interface(`fs_unconfined',`
  
  	typeattribute $1 filesystem_unconfined_type;
  ')
@@ -34685,10 +34705,10 @@ index 312cd04..dd6638a 100644
 +userdom_use_inherited_user_terminals(setkey_t)
 +userdom_read_user_tmp_files(setkey_t)
 diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 73a1c4e..51548c7 100644
+index 73a1c4e..ec4c7c7 100644
 --- a/policy/modules/system/iptables.fc
 +++ b/policy/modules/system/iptables.fc
-@@ -1,22 +1,41 @@
+@@ -1,22 +1,43 @@
  /etc/rc\.d/init\.d/ip6?tables	--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/ebtables	--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
 -/etc/sysconfig/ip6?tables.*	--	gen_context(system_u:object_r:iptables_conf_t,s0)
@@ -34746,6 +34766,8 @@ index 73a1c4e..51548c7 100644
 +/usr/sbin/xtables-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 +
 +/var/lib/ebtables(/.*)?			gen_context(system_u:object_r:iptables_var_lib_t,s0)
++
++/var/run/xtables.*       --  gen_context(system_u:object_r:iptables_var_run_t,s0)
 diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
 index c42fbc3..277fe6c 100644
 --- a/policy/modules/system/iptables.if
@@ -36538,7 +36560,7 @@ index 4e94884..7ab6191 100644
 +	filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4)
 +')
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1..5ac28ce 100644
+index 59b04c1..e1ec2e8 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
 @@ -4,6 +4,29 @@ policy_module(logging, 1.20.1)
@@ -36717,15 +36739,19 @@ index 59b04c1..5ac28ce 100644
  ')
  
  ########################################
-@@ -268,7 +314,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
+@@ -266,9 +312,10 @@ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+ manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
  
++kernel_read_system_state(audisp_remote_t)
++
  corecmd_exec_bin(audisp_remote_t)
  
 -corenet_all_recvfrom_unlabeled(audisp_remote_t)
  corenet_all_recvfrom_netlabel(audisp_remote_t)
  corenet_tcp_sendrecv_generic_if(audisp_remote_t)
  corenet_tcp_sendrecv_generic_node(audisp_remote_t)
-@@ -280,13 +325,27 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -280,13 +327,26 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
  
  files_read_etc_files(audisp_remote_t)
  
@@ -36738,7 +36764,6 @@ index 59b04c1..5ac28ce 100644
 +auth_use_nsswitch(audisp_remote_t)
 +auth_append_login_records(audisp_remote_t)
 +
-+
 +init_telinit(audisp_remote_t)
 +init_read_utmp(audisp_remote_t)
 +init_dontaudit_write_utmp(audisp_remote_t)
@@ -36754,7 +36779,7 @@ index 59b04c1..5ac28ce 100644
  ########################################
  #
  # klogd local policy
-@@ -326,7 +385,6 @@ files_read_etc_files(klogd_t)
+@@ -326,7 +386,6 @@ files_read_etc_files(klogd_t)
  
  logging_send_syslog_msg(klogd_t)
  
@@ -36762,7 +36787,7 @@ index 59b04c1..5ac28ce 100644
  
  mls_file_read_all_levels(klogd_t)
  
-@@ -355,13 +413,12 @@ optional_policy(`
+@@ -355,13 +414,12 @@ optional_policy(`
  # sys_admin for the integrated klog of syslog-ng and metalog
  # sys_nice for rsyslog
  # cjp: why net_admin!
@@ -36779,7 +36804,7 @@ index 59b04c1..5ac28ce 100644
  # receive messages to be logged
  allow syslogd_t self:unix_dgram_socket create_socket_perms;
  allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -369,11 +426,15 @@ allow syslogd_t self:unix_dgram_socket sendto;
+@@ -369,11 +427,15 @@ allow syslogd_t self:unix_dgram_socket sendto;
  allow syslogd_t self:fifo_file rw_fifo_file_perms;
  allow syslogd_t self:udp_socket create_socket_perms;
  allow syslogd_t self:tcp_socket create_stream_socket_perms;
@@ -36796,7 +36821,7 @@ index 59b04c1..5ac28ce 100644
  files_pid_filetrans(syslogd_t, devlog_t, sock_file)
  
  # create/append log files.
-@@ -389,30 +450,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -389,30 +451,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
  
@@ -36847,7 +36872,7 @@ index 59b04c1..5ac28ce 100644
  # syslog-ng can listen and connect on tcp port 514 (rsh)
  corenet_tcp_sendrecv_generic_if(syslogd_t)
  corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -422,6 +500,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -422,6 +501,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
  corenet_tcp_connect_rsh_port(syslogd_t)
  # Allow users to define additional syslog ports to connect to
  corenet_tcp_bind_syslogd_port(syslogd_t)
@@ -36856,7 +36881,7 @@ index 59b04c1..5ac28ce 100644
  corenet_tcp_connect_syslogd_port(syslogd_t)
  corenet_tcp_connect_postgresql_port(syslogd_t)
  corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -432,9 +512,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -432,9 +513,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
  corenet_sendrecv_postgresql_client_packets(syslogd_t)
  corenet_sendrecv_mysqld_client_packets(syslogd_t)
  
@@ -36890,7 +36915,7 @@ index 59b04c1..5ac28ce 100644
  domain_use_interactive_fds(syslogd_t)
  
  files_read_etc_files(syslogd_t)
-@@ -448,13 +551,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+@@ -448,13 +552,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
  
  fs_getattr_all_fs(syslogd_t)
  fs_search_auto_mountpoints(syslogd_t)
@@ -36908,7 +36933,7 @@ index 59b04c1..5ac28ce 100644
  # for sending messages to logged in users
  init_read_utmp(syslogd_t)
  init_dontaudit_write_utmp(syslogd_t)
-@@ -466,11 +573,12 @@ init_use_fds(syslogd_t)
+@@ -466,11 +574,12 @@ init_use_fds(syslogd_t)
  
  # cjp: this doesnt make sense
  logging_send_syslog_msg(syslogd_t)
@@ -36924,7 +36949,7 @@ index 59b04c1..5ac28ce 100644
  
  ifdef(`distro_gentoo',`
  	# default gentoo syslog-ng config appends kernel
-@@ -497,6 +605,7 @@ optional_policy(`
+@@ -497,6 +606,7 @@ optional_policy(`
  optional_policy(`
  	cron_manage_log_files(syslogd_t)
  	cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
@@ -36932,7 +36957,7 @@ index 59b04c1..5ac28ce 100644
  ')
  
  optional_policy(`
-@@ -507,15 +616,40 @@ optional_policy(`
+@@ -507,15 +617,40 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36973,7 +36998,7 @@ index 59b04c1..5ac28ce 100644
  ')
  
  optional_policy(`
-@@ -526,3 +660,26 @@ optional_policy(`
+@@ -526,3 +661,26 @@ optional_policy(`
  	# log to the xconsole
  	xserver_rw_console(syslogd_t)
  ')
@@ -43649,10 +43674,10 @@ index 0000000..cde0261
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..ea27f86
+index 0000000..11cbcf8
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,721 @@
+@@ -0,0 +1,723 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -43924,6 +43949,8 @@ index 0000000..ea27f86
 +
 +auth_use_nsswitch(systemd_networkd_t)
 +
++logging_send_syslog_msg(systemd_networkd_t)
++
 +sysnet_manage_config(systemd_networkd_t)
 +sysnet_manage_config_dirs(systemd_networkd_t)
 +
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 1fd3df8..b1f2938 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -5209,7 +5209,7 @@ index f6eb485..164501c 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/apache.te b/apache.te
-index 6649962..d007ab0 100644
+index 6649962..7abf562 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@@ -5919,7 +5919,15 @@ index 6649962..d007ab0 100644
  
  allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
  
-@@ -450,140 +574,174 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -438,6 +562,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi
+ 
+ manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+ manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
++manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+ files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
+ 
+ setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
+@@ -450,140 +575,174 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  
@@ -6159,7 +6167,7 @@ index 6649962..d007ab0 100644
  ')
  
  tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -594,28 +752,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -594,28 +753,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
  	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
  ')
  
@@ -6219,7 +6227,7 @@ index 6649962..d007ab0 100644
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -624,68 +804,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -624,68 +805,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
  	fs_read_nfs_symlinks(httpd_t)
  ')
  
@@ -6322,7 +6330,7 @@ index 6649962..d007ab0 100644
  ')
  
  tunable_policy(`httpd_setrlimit',`
-@@ -695,49 +863,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -695,49 +864,48 @@ tunable_policy(`httpd_setrlimit',`
  
  tunable_policy(`httpd_ssi_exec',`
  	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -6403,7 +6411,7 @@ index 6649962..d007ab0 100644
  ')
  
  optional_policy(`
-@@ -749,24 +916,32 @@ optional_policy(`
+@@ -749,24 +917,32 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6442,7 +6450,7 @@ index 6649962..d007ab0 100644
  ')
  
  optional_policy(`
-@@ -775,6 +950,10 @@ optional_policy(`
+@@ -775,6 +951,10 @@ optional_policy(`
  	tunable_policy(`httpd_dbus_avahi',`
  		avahi_dbus_chat(httpd_t)
  	')
@@ -6453,7 +6461,7 @@ index 6649962..d007ab0 100644
  ')
  
  optional_policy(`
-@@ -786,35 +965,60 @@ optional_policy(`
+@@ -786,35 +966,60 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6527,7 +6535,7 @@ index 6649962..d007ab0 100644
  
  	tunable_policy(`httpd_manage_ipa',`
  		memcached_manage_pid_files(httpd_t)
-@@ -822,8 +1026,30 @@ optional_policy(`
+@@ -822,8 +1027,30 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6558,7 +6566,7 @@ index 6649962..d007ab0 100644
  
  	tunable_policy(`httpd_can_network_connect_db',`
  		mysql_tcp_connect(httpd_t)
-@@ -832,6 +1058,8 @@ optional_policy(`
+@@ -832,6 +1059,8 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -6567,7 +6575,7 @@ index 6649962..d007ab0 100644
  ')
  
  optional_policy(`
-@@ -842,20 +1070,40 @@ optional_policy(`
+@@ -842,20 +1071,40 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6614,7 +6622,7 @@ index 6649962..d007ab0 100644
  ')
  
  optional_policy(`
-@@ -863,16 +1111,31 @@ optional_policy(`
+@@ -863,16 +1112,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6648,7 +6656,7 @@ index 6649962..d007ab0 100644
  ')
  
  optional_policy(`
-@@ -883,65 +1146,189 @@ optional_policy(`
+@@ -883,65 +1147,189 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -6860,7 +6868,7 @@ index 6649962..d007ab0 100644
  files_dontaudit_search_pids(httpd_suexec_t)
  files_search_home(httpd_suexec_t)
  
-@@ -950,123 +1337,75 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1338,75 @@ auth_use_nsswitch(httpd_suexec_t)
  logging_search_logs(httpd_suexec_t)
  logging_send_syslog_msg(httpd_suexec_t)
  
@@ -7014,7 +7022,7 @@ index 6649962..d007ab0 100644
  	mysql_read_config(httpd_suexec_t)
  
  	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1422,107 @@ optional_policy(`
+@@ -1083,172 +1423,107 @@ optional_policy(`
  	')
  ')
  
@@ -7252,7 +7260,7 @@ index 6649962..d007ab0 100644
  ')
  
  tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1530,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1531,74 @@ tunable_policy(`httpd_read_user_content',`
  ')
  
  tunable_policy(`httpd_use_cifs',`
@@ -7349,7 +7357,7 @@ index 6649962..d007ab0 100644
  
  ########################################
  #
-@@ -1321,8 +1605,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1606,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
  #
  
  optional_policy(`
@@ -7366,7 +7374,7 @@ index 6649962..d007ab0 100644
  ')
  
  ########################################
-@@ -1330,49 +1621,38 @@ optional_policy(`
+@@ -1330,49 +1622,38 @@ optional_policy(`
  # User content local policy
  #
  
@@ -7431,7 +7439,7 @@ index 6649962..d007ab0 100644
  kernel_read_system_state(httpd_passwd_t)
  
  corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1662,109 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1663,109 @@ dev_read_urand(httpd_passwd_t)
  
  domain_use_interactive_fds(httpd_passwd_t)
  
@@ -12740,10 +12748,10 @@ index 0000000..5955ff0
 +	gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
 +')
 diff --git a/chronyd.fc b/chronyd.fc
-index 4e4143e..e20f1b4 100644
+index 4e4143e..16d23e1 100644
 --- a/chronyd.fc
 +++ b/chronyd.fc
-@@ -1,8 +1,11 @@
+@@ -1,13 +1,17 @@
 -/etc/chrony\.keys	--	gen_context(system_u:object_r:chronyd_keys_t,s0)
 +/etc/chrony\.keys.*	--	gen_context(system_u:object_r:chronyd_keys_t,s0)
  
@@ -12756,11 +12764,42 @@ index 4e4143e..e20f1b4 100644
  
  /var/lib/chrony(/.*)?	gen_context(system_u:object_r:chronyd_var_lib_t,s0)
  
+ /var/log/chrony(/.*)?	gen_context(system_u:object_r:chronyd_var_log_t,s0)
+ 
+ /var/run/chronyd(/.*)	gen_context(system_u:object_r:chronyd_var_run_t,s0)
++/var/run/chrony-helper(/.*)	gen_context(system_u:object_r:chronyd_var_run_t,s0)
+ /var/run/chronyd\.pid	--	gen_context(system_u:object_r:chronyd_var_run_t,s0)
+ /var/run/chronyd\.sock	-s	gen_context(system_u:object_r:chronyd_var_run_t,s0)
 diff --git a/chronyd.if b/chronyd.if
-index 32e8265..74fd151 100644
+index 32e8265..c5a2913 100644
 --- a/chronyd.if
 +++ b/chronyd.if
-@@ -100,8 +100,7 @@ interface(`chronyd_rw_shm',`
+@@ -57,6 +57,24 @@ interface(`chronyd_exec',`
+ 	can_exec($1, chronyd_exec_t)
+ ')
+ 
++########################################
++## <summary>
++##	Send generic signals to chronyd.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`chronyd_signal',`
++	gen_require(`
++		type chronyd_t;
++	')
++
++	allow $1 chronyd_t:process signal;
++')
++
+ #####################################
+ ## <summary>
+ ##	Read chronyd log files.
+@@ -100,8 +118,7 @@ interface(`chronyd_rw_shm',`
  
  ########################################
  ## <summary>
@@ -12770,7 +12809,7 @@ index 32e8265..74fd151 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -109,19 +108,17 @@ interface(`chronyd_rw_shm',`
+@@ -109,19 +126,17 @@ interface(`chronyd_rw_shm',`
  ##	</summary>
  ## </param>
  #
@@ -12794,7 +12833,7 @@ index 32e8265..74fd151 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -129,18 +126,62 @@ interface(`chronyd_stream_connect',`
+@@ -129,18 +144,62 @@ interface(`chronyd_stream_connect',`
  ##	</summary>
  ## </param>
  #
@@ -12860,7 +12899,7 @@ index 32e8265..74fd151 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -148,13 +189,13 @@ interface(`chronyd_dgram_send',`
+@@ -148,13 +207,13 @@ interface(`chronyd_dgram_send',`
  ##	</summary>
  ## </param>
  #
@@ -12878,7 +12917,7 @@ index 32e8265..74fd151 100644
  ')
  
  ####################################
-@@ -176,28 +217,38 @@ interface(`chronyd_read_key_files',`
+@@ -176,28 +235,38 @@ interface(`chronyd_read_key_files',`
  #
  interface(`chronyd_admin',`
  	gen_require(`
@@ -12927,7 +12966,7 @@ index 32e8265..74fd151 100644
 +	allow $1 chronyd_unit_file_t:service all_service_perms;
  ')
 diff --git a/chronyd.te b/chronyd.te
-index e5b621c..08ecb52 100644
+index e5b621c..337110c 100644
 --- a/chronyd.te
 +++ b/chronyd.te
 @@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@@ -12958,7 +12997,7 @@ index e5b621c..08ecb52 100644
  allow chronyd_t chronyd_keys_t:file read_file_perms;
  
  manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
-@@ -76,18 +83,34 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
+@@ -76,18 +83,36 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
  corenet_udp_bind_chronyd_port(chronyd_t)
  corenet_udp_sendrecv_chronyd_port(chronyd_t)
  
@@ -12980,6 +13019,8 @@ index e5b621c..08ecb52 100644
 +mta_send_mail(chronyd_t)
 +
 +sysnet_read_dhcpc_state(chronyd_t)
++
++systemd_exec_systemctl(chronyd_t)
  
  optional_policy(`
  	gpsd_rw_shm(chronyd_t)
@@ -14869,7 +14910,7 @@ index 954309e..6780142 100644
  ')
 +
 diff --git a/collectd.te b/collectd.te
-index 6471fa8..294d8e0 100644
+index 6471fa8..3baa00b 100644
 --- a/collectd.te
 +++ b/collectd.te
 @@ -26,43 +26,59 @@ files_type(collectd_var_lib_t)
@@ -14941,10 +14982,16 @@ index 6471fa8..294d8e0 100644
  
  logging_send_syslog_msg(collectd_t)
  
-@@ -75,16 +91,35 @@ tunable_policy(`collectd_tcp_network_connect',`
+@@ -74,17 +90,41 @@ tunable_policy(`collectd_tcp_network_connect',`
+ 	corenet_tcp_sendrecv_all_ports(collectd_t)
  ')
  
- optional_policy(`
++
++optional_policy(`
++	pdns_stream_connect(collectd_t)
++')
++
++optional_policy(`
 +	mysql_stream_connect(collectd_t)
 +')
 +
@@ -14956,7 +15003,7 @@ index 6471fa8..294d8e0 100644
 +    snmp_read_snmp_var_lib_dirs(collectd_t)
 +')
 +
-+optional_policy(`
+ optional_policy(`
  	virt_read_config(collectd_t)
 +	virt_stream_connect(collectd_t)
  ')
@@ -35415,6 +35462,329 @@ index b9e60ec..0477728 100644
  userdom_dontaudit_use_unpriv_user_fds(howl_t)
  userdom_dontaudit_search_user_home_dirs(howl_t)
  
+diff --git a/hsqldb.fc b/hsqldb.fc
+new file mode 100644
+index 0000000..aa92d71
+--- /dev/null
++++ b/hsqldb.fc
+@@ -0,0 +1,7 @@
++/usr/lib/hsqldb/hsqldb-post		--	gen_context(system_u:object_r:hsqldb_exec_t,s0)
++/usr/lib/hsqldb/hsqldb-stop		--	gen_context(system_u:object_r:hsqldb_exec_t,s0)
++/usr/lib/hsqldb/hsqldb-wrapper		--	gen_context(system_u:object_r:hsqldb_exec_t,s0)
++
++/usr/lib/systemd/system/hsqldb.*	--	gen_context(system_u:object_r:hsqldb_unit_file_t,s0)
++
++/var/lib/hsqldb(/.*)?				gen_context(system_u:object_r:hsqldb_var_lib_t,s0)
+diff --git a/hsqldb.if b/hsqldb.if
+new file mode 100644
+index 0000000..f43f748
+--- /dev/null
++++ b/hsqldb.if
+@@ -0,0 +1,241 @@
++
++## <summary>Hsqldb is transactional database engine with in-memory and disk-based tables, supporting embedded and server modes.</summary>
++
++########################################
++## <summary>
++##	Execute hsqldb_exec_t in the hsqldb domain.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`hsqldb_domtrans',`
++	gen_require(`
++		type hsqldb_t, hsqldb_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, hsqldb_exec_t, hsqldb_t)
++')
++
++######################################
++## <summary>
++##	Execute hsqldb in the caller domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`hsqldb_exec',`
++	gen_require(`
++		type hsqldb_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	can_exec($1, hsqldb_exec_t)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to read,
++##	hsqldb tmp files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`hsqldb_dontaudit_read_tmp_files',`
++	gen_require(`
++		type hsqldb_tmp_t;
++	')
++
++	dontaudit $1 hsqldb_tmp_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++##	Read hsqldb tmp files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`hsqldb_read_tmp_files',`
++	gen_require(`
++		type hsqldb_tmp_t;
++	')
++
++	files_search_tmp($1)
++	read_files_pattern($1, hsqldb_tmp_t, hsqldb_tmp_t)
++')
++
++########################################
++## <summary>
++##	Manage hsqldb tmp files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`hsqldb_manage_tmp',`
++	gen_require(`
++		type hsqldb_tmp_t;
++	')
++
++	files_search_tmp($1)
++	manage_dirs_pattern($1, hsqldb_tmp_t, hsqldb_tmp_t)
++	manage_files_pattern($1, hsqldb_tmp_t, hsqldb_tmp_t)
++	manage_lnk_files_pattern($1, hsqldb_tmp_t, hsqldb_tmp_t)
++')
++
++########################################
++## <summary>
++##	Search hsqldb lib directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`hsqldb_search_lib',`
++	gen_require(`
++		type hsqldb_var_lib_t;
++	')
++
++	allow $1 hsqldb_var_lib_t:dir search_dir_perms;
++	files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++##	Read hsqldb lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`hsqldb_read_lib_files',`
++	gen_require(`
++		type hsqldb_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	read_files_pattern($1, hsqldb_var_lib_t, hsqldb_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Manage hsqldb lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`hsqldb_manage_lib_files',`
++	gen_require(`
++		type hsqldb_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	manage_files_pattern($1, hsqldb_var_lib_t, hsqldb_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Manage hsqldb lib directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`hsqldb_manage_lib_dirs',`
++	gen_require(`
++		type hsqldb_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	manage_dirs_pattern($1, hsqldb_var_lib_t, hsqldb_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Execute hsqldb server in the hsqldb domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`hsqldb_systemctl',`
++	gen_require(`
++		type hsqldb_t;
++		type hsqldb_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++        systemd_read_fifo_file_passwd_run($1)
++	allow $1 hsqldb_unit_file_t:file read_file_perms;
++	allow $1 hsqldb_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, hsqldb_t)
++')
++
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an hsqldb environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`hsqldb_admin',`
++	gen_require(`
++		type hsqldb_t;
++		type hsqldb_tmp_t;
++		type hsqldb_var_lib_t;
++	type hsqldb_unit_file_t;
++	')
++
++	allow $1 hsqldb_t:process { signal_perms };
++	ps_process_pattern($1, hsqldb_t)
++
++    tunable_policy(`deny_ptrace',`',`
++        allow $1 hsqldb_t:process ptrace;
++    ')
++
++	files_search_tmp($1)
++	admin_pattern($1, hsqldb_tmp_t)
++
++	files_search_var_lib($1)
++	admin_pattern($1, hsqldb_var_lib_t)
++
++	hsqldb_systemctl($1)
++	admin_pattern($1, hsqldb_unit_file_t)
++	allow $1 hsqldb_unit_file_t:service all_service_perms;
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
+diff --git a/hsqldb.te b/hsqldb.te
+new file mode 100644
+index 0000000..28816b4
+--- /dev/null
++++ b/hsqldb.te
+@@ -0,0 +1,57 @@
++policy_module(hsqldb, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type hsqldb_t;
++type hsqldb_exec_t;
++init_daemon_domain(hsqldb_t, hsqldb_exec_t)
++
++type hsqldb_tmp_t;
++files_tmp_file(hsqldb_tmp_t)
++
++type hsqldb_var_lib_t;
++files_type(hsqldb_var_lib_t)
++
++type hsqldb_unit_file_t;
++systemd_unit_file(hsqldb_unit_file_t)
++
++########################################
++#
++# hsqldb local policy 
++# 
++
++allow hsqldb_t self:process execmem;
++
++allow hsqldb_t self:fifo_file rw_fifo_file_perms;
++allow hsqldb_t self:stream_socket_class_set create_stream_socket_perms;
++
++manage_dirs_pattern(hsqldb_t, hsqldb_tmp_t, hsqldb_tmp_t)
++manage_files_pattern(hsqldb_t, hsqldb_tmp_t, hsqldb_tmp_t)
++files_tmp_filetrans(hsqldb_t, hsqldb_tmp_t, { dir file })
++
++manage_dirs_pattern(hsqldb_t, hsqldb_var_lib_t, hsqldb_var_lib_t)
++manage_files_pattern(hsqldb_t, hsqldb_var_lib_t, hsqldb_var_lib_t)
++manage_lnk_files_pattern(hsqldb_t, hsqldb_var_lib_t, hsqldb_var_lib_t)
++manage_sock_files_pattern(hsqldb_t, hsqldb_var_lib_t, hsqldb_var_lib_t)
++files_var_lib_filetrans(hsqldb_t, hsqldb_var_lib_t, { dir })
++
++kernel_read_system_state(hsqldb_t)
++kernel_read_network_state(hsqldb_t)
++
++corecmd_exec_bin(hsqldb_t)
++
++corenet_tcp_bind_generic_node(hsqldb_t)
++corenet_tcp_bind_tor_port(hsqldb_t)
++corenet_tcp_connect_tor_port(hsqldb_t)
++
++dev_list_sysfs(hsqldb_t)
++
++dev_read_urand(hsqldb_t)
++dev_read_rand(hsqldb_t)
++
++auth_use_nsswitch(hsqldb_t)
++
++sysnet_read_config(hsqldb_t)
 diff --git a/hypervkvp.fc b/hypervkvp.fc
 index b46130e..e2ae3b2 100644
 --- a/hypervkvp.fc
@@ -39422,7 +39792,7 @@ index 0000000..20adcb3
 +	')
 +')
 diff --git a/kerberos.fc b/kerberos.fc
-index 4fe75fd..f01d946 100644
+index 4fe75fd..3504a9b 100644
 --- a/kerberos.fc
 +++ b/kerberos.fc
 @@ -1,52 +1,54 @@
@@ -39508,7 +39878,7 @@ index 4fe75fd..f01d946 100644
 +
 +/var/tmp/DNS_25			-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 +/var/tmp/kadmin_0       --  gen_context(system_u:object_r:kadmind_tmp_t,s0)
-+/var/tmp/kiprop_0       --  gen_context(system_u:object_r:krb5kdc_tmp_t,s0)
++/var/tmp/kiprop_0       --  gen_context(system_u:object_r:kadmind_tmp_t,s0)
 +/var/tmp/host_0			-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 +/var/tmp/HTTP_23		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 +/var/tmp/HTTP_48		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
@@ -42881,10 +43251,10 @@ index 0000000..7ba5060
 +
 diff --git a/linuxptp.te b/linuxptp.te
 new file mode 100644
-index 0000000..70dc4c3
+index 0000000..9f7ea8e
 --- /dev/null
 +++ b/linuxptp.te
-@@ -0,0 +1,173 @@
+@@ -0,0 +1,179 @@
 +policy_module(linuxptp, 1.0.0)
 +
 +
@@ -42973,6 +43343,12 @@ index 0000000..70dc4c3
 +	gpsd_rw_shm(timemaster_t)
 +')
 +
++
++optional_policy(`
++	chronyd_signal(timemaster_t)
++')
++
++
 +optional_policy(`
 +	linuxptp_domtrans_ptp4l(timemaster_t)
 +')
@@ -43183,6 +43559,16 @@ index 2f974bf..f6e97fa 100644
  ')
  
  optional_policy(`
+diff --git a/lldpad.fc b/lldpad.fc
+index 8031a78..72e56ac 100644
+--- a/lldpad.fc
++++ b/lldpad.fc
+@@ -5,3 +5,5 @@
+ /var/lib/lldpad(/.*)?	gen_context(system_u:object_r:lldpad_var_lib_t,s0)
+ 
+ /var/run/lldpad.*	gen_context(system_u:object_r:lldpad_var_run_t,s0)
++
++/dev/shm/lldpad.*   --  gen_context(system_u:object_r:lldpad_tmpfs_t,s0)
 diff --git a/lldpad.if b/lldpad.if
 index d18c960..fb5b674 100644
 --- a/lldpad.if
@@ -43229,7 +43615,7 @@ index d18c960..fb5b674 100644
  	domain_system_change_exemption($1)
  	role_transition $2 lldpad_initrc_exec_t system_r;
 diff --git a/lldpad.te b/lldpad.te
-index 2a491d9..dcd3ae6 100644
+index 2a491d9..42e5578 100644
 --- a/lldpad.te
 +++ b/lldpad.te
 @@ -26,7 +26,7 @@ files_pid_file(lldpad_var_run_t)
@@ -43241,12 +43627,13 @@ index 2a491d9..dcd3ae6 100644
  allow lldpad_t self:shm create_shm_perms;
  allow lldpad_t self:fifo_file rw_fifo_file_perms;
  allow lldpad_t self:unix_stream_socket { accept listen };
-@@ -51,12 +51,14 @@ kernel_request_load_module(lldpad_t)
+@@ -51,12 +51,16 @@ kernel_request_load_module(lldpad_t)
  
  dev_read_sysfs(lldpad_t)
  
 -files_read_etc_files(lldpad_t)
--
++fs_getattr_tmpfs(lldpad_t)
+ 
  logging_send_syslog_msg(lldpad_t)
  
 -miscfiles_read_localization(lldpad_t)
@@ -65188,10 +65575,10 @@ index 0000000..80246e6
 +
 diff --git a/pcp.te b/pcp.te
 new file mode 100644
-index 0000000..530fe1d
+index 0000000..e24db6b
 --- /dev/null
 +++ b/pcp.te
-@@ -0,0 +1,258 @@
+@@ -0,0 +1,259 @@
 +policy_module(pcp, 1.0.0)
 +
 +########################################
@@ -65259,6 +65646,7 @@ index 0000000..530fe1d
 +manage_dirs_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
 +manage_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
 +manage_sock_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
++manage_lnk_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
 +exec_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
 +files_var_lib_filetrans(pcp_domain, pcp_var_lib_t, { dir})
 +
@@ -65566,10 +65954,10 @@ index 0000000..22bc51b
 +/etc/pdns(/.*)?				gen_context(system_u:object_r:pdns_conf_t,s0)
 diff --git a/pdns.if b/pdns.if
 new file mode 100644
-index 0000000..08314c4
+index 0000000..02df03a
 --- /dev/null
 +++ b/pdns.if
-@@ -0,0 +1,63 @@
+@@ -0,0 +1,81 @@
 +## <summary>PowerDNS DNS server.</summary>
 +
 +########################################
@@ -65632,7 +66020,25 @@ index 0000000..08314c4
 +        read_lnk_files_pattern($1, pdns_conf_t, pdns_conf_t)
 +')
 +
++########################################
++## <summary>
++##	Connect to pdns over an unix
++##	stream socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`pdns_stream_connect',`
++	gen_require(`
++		type pdns_t, pdns_var_run_t;
++	')
 +
++	files_search_pids($1)
++	stream_connect_pattern($1, pdns_var_run_t, pdns_var_run_t, pdns_t)
++')
 diff --git a/pdns.te b/pdns.te
 new file mode 100644
 index 0000000..509d898
@@ -84719,7 +85125,7 @@ index 6dbc905..4b17c93 100644
 -	admin_pattern($1, rhsmcertd_lock_t)
  ')
 diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a2..e44a0d9 100644
+index d32e1a2..e030327 100644
 --- a/rhsmcertd.te
 +++ b/rhsmcertd.te
 @@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
@@ -84758,7 +85164,7 @@ index d32e1a2..e44a0d9 100644
  manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
  manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
  
-@@ -50,25 +56,75 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+@@ -50,25 +56,78 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
  files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
  
  kernel_read_network_state(rhsmcertd_t)
@@ -84784,6 +85190,9 @@ index d32e1a2..e44a0d9 100644
 +files_manage_generic_locks(rhsmcertd_t)
 +files_manage_system_conf_files(rhsmcertd_t)
 +files_create_boot_flag(rhsmcertd_t)
++files_dontaudit_write_all_mountpoints(rhsmcertd_t)
++
++fs_dontaudit_write_configfs_dirs(rhsmcertd_t)
 +
 +auth_read_passwd(rhsmcertd_t)
 +
@@ -90097,7 +90506,7 @@ index 50d07fb..337a3e7 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
  ')
 diff --git a/samba.te b/samba.te
-index 2b7c441..b74b683 100644
+index 2b7c441..0c7bfd4 100644
 --- a/samba.te
 +++ b/samba.te
 @@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@@ -90336,8 +90745,11 @@ index 2b7c441..b74b683 100644
  
  allow samba_net_t samba_etc_t:file read_file_perms;
  
-@@ -210,17 +208,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+@@ -208,19 +206,25 @@ files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
+ manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
+ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
  manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
++manage_sock_files_pattern(samba_net_t, samba_var_t, samba_var_t)
  files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
  
 +kernel_read_proc_symlinks(samba_net_t)
@@ -90363,7 +90775,7 @@ index 2b7c441..b74b683 100644
  
  dev_read_urand(samba_net_t)
  
-@@ -233,15 +236,22 @@ auth_manage_cache(samba_net_t)
+@@ -233,15 +237,22 @@ auth_manage_cache(samba_net_t)
  
  logging_send_syslog_msg(samba_net_t)
  
@@ -90390,7 +90802,7 @@ index 2b7c441..b74b683 100644
  ')
  
  optional_policy(`
-@@ -249,46 +259,59 @@ optional_policy(`
+@@ -249,46 +260,59 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -90463,7 +90875,7 @@ index 2b7c441..b74b683 100644
  manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
  allow smbd_t samba_share_t:filesystem { getattr quotaget };
  
-@@ -298,65 +321,72 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
+@@ -298,65 +322,72 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
  manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
  files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
  
@@ -90560,7 +90972,7 @@ index 2b7c441..b74b683 100644
  
  fs_getattr_all_fs(smbd_t)
  fs_getattr_all_dirs(smbd_t)
-@@ -366,44 +396,53 @@ fs_getattr_rpc_dirs(smbd_t)
+@@ -366,44 +397,53 @@ fs_getattr_rpc_dirs(smbd_t)
  fs_list_inotifyfs(smbd_t)
  fs_get_all_fs_quotas(smbd_t)
  
@@ -90626,7 +91038,7 @@ index 2b7c441..b74b683 100644
  ')
  
  tunable_policy(`samba_domain_controller',`
-@@ -419,20 +458,10 @@ tunable_policy(`samba_domain_controller',`
+@@ -419,20 +459,10 @@ tunable_policy(`samba_domain_controller',`
  ')
  
  tunable_policy(`samba_enable_home_dirs',`
@@ -90649,7 +91061,7 @@ index 2b7c441..b74b683 100644
  tunable_policy(`samba_share_nfs',`
  	fs_manage_nfs_dirs(smbd_t)
  	fs_manage_nfs_files(smbd_t)
-@@ -441,6 +470,7 @@ tunable_policy(`samba_share_nfs',`
+@@ -441,6 +471,7 @@ tunable_policy(`samba_share_nfs',`
  	fs_manage_nfs_named_sockets(smbd_t)
  ')
  
@@ -90657,7 +91069,7 @@ index 2b7c441..b74b683 100644
  tunable_policy(`samba_share_fusefs',`
  	fs_manage_fusefs_dirs(smbd_t)
  	fs_manage_fusefs_files(smbd_t)
-@@ -448,15 +478,10 @@ tunable_policy(`samba_share_fusefs',`
+@@ -448,15 +479,10 @@ tunable_policy(`samba_share_fusefs',`
  	fs_search_fusefs(smbd_t)
  ')
  
@@ -90677,7 +91089,7 @@ index 2b7c441..b74b683 100644
  ')
  
  optional_policy(`
-@@ -466,6 +491,7 @@ optional_policy(`
+@@ -466,6 +492,7 @@ optional_policy(`
  optional_policy(`
  	ctdbd_stream_connect(smbd_t)
  	ctdbd_manage_lib_files(smbd_t)
@@ -90685,7 +91097,7 @@ index 2b7c441..b74b683 100644
  ')
  
  optional_policy(`
-@@ -474,11 +500,30 @@ optional_policy(`
+@@ -474,11 +501,30 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -90716,7 +91128,7 @@ index 2b7c441..b74b683 100644
  	lpd_exec_lpr(smbd_t)
  ')
  
-@@ -488,6 +533,10 @@ optional_policy(`
+@@ -488,6 +534,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -90727,7 +91139,7 @@ index 2b7c441..b74b683 100644
  	rpc_search_nfs_state_data(smbd_t)
  ')
  
-@@ -499,9 +548,48 @@ optional_policy(`
+@@ -499,9 +549,48 @@ optional_policy(`
  	udev_read_db(smbd_t)
  ')
  
@@ -90777,7 +91189,7 @@ index 2b7c441..b74b683 100644
  #
  
  dontaudit nmbd_t self:capability sys_tty_config;
-@@ -512,9 +600,11 @@ allow nmbd_t self:msg { send receive };
+@@ -512,9 +601,11 @@ allow nmbd_t self:msg { send receive };
  allow nmbd_t self:msgq create_msgq_perms;
  allow nmbd_t self:sem create_sem_perms;
  allow nmbd_t self:shm create_shm_perms;
@@ -90792,7 +91204,7 @@ index 2b7c441..b74b683 100644
  
  manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
  manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -526,20 +616,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -526,20 +617,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  
  manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -90816,7 +91228,7 @@ index 2b7c441..b74b683 100644
  
  kernel_getattr_core_if(nmbd_t)
  kernel_getattr_message_if(nmbd_t)
-@@ -547,53 +632,44 @@ kernel_read_kernel_sysctls(nmbd_t)
+@@ -547,53 +633,44 @@ kernel_read_kernel_sysctls(nmbd_t)
  kernel_read_network_state(nmbd_t)
  kernel_read_software_raid_state(nmbd_t)
  kernel_read_system_state(nmbd_t)
@@ -90885,7 +91297,7 @@ index 2b7c441..b74b683 100644
  ')
  
  optional_policy(`
-@@ -606,16 +682,22 @@ optional_policy(`
+@@ -606,16 +683,22 @@ optional_policy(`
  
  ########################################
  #
@@ -90912,7 +91324,7 @@ index 2b7c441..b74b683 100644
  
  manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
  
-@@ -627,16 +709,13 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,16 +710,13 @@ domain_use_interactive_fds(smbcontrol_t)
  
  dev_read_urand(smbcontrol_t)
  
@@ -90931,7 +91343,7 @@ index 2b7c441..b74b683 100644
  
  optional_policy(`
  	ctdbd_stream_connect(smbcontrol_t)
-@@ -644,22 +723,23 @@ optional_policy(`
+@@ -644,22 +724,23 @@ optional_policy(`
  
  ########################################
  #
@@ -90963,7 +91375,7 @@ index 2b7c441..b74b683 100644
  
  allow smbmount_t samba_secrets_t:file manage_file_perms;
  
-@@ -668,26 +748,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +749,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
  
@@ -90999,7 +91411,7 @@ index 2b7c441..b74b683 100644
  
  fs_getattr_cifs(smbmount_t)
  fs_mount_cifs(smbmount_t)
-@@ -699,58 +775,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +776,77 @@ fs_read_cifs_files(smbmount_t)
  storage_raw_read_fixed_disk(smbmount_t)
  storage_raw_write_fixed_disk(smbmount_t)
  
@@ -91091,7 +91503,7 @@ index 2b7c441..b74b683 100644
  
  manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
  manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +854,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +855,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
  manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
  files_pid_filetrans(swat_t, swat_var_run_t, file)
  
@@ -91115,7 +91527,7 @@ index 2b7c441..b74b683 100644
  
  kernel_read_kernel_sysctls(swat_t)
  kernel_read_system_state(swat_t)
-@@ -777,36 +868,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +869,25 @@ kernel_read_network_state(swat_t)
  
  corecmd_search_bin(swat_t)
  
@@ -91158,7 +91570,7 @@ index 2b7c441..b74b683 100644
  
  auth_domtrans_chk_passwd(swat_t)
  auth_use_nsswitch(swat_t)
-@@ -818,10 +898,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +899,11 @@ logging_send_syslog_msg(swat_t)
  logging_send_audit_msgs(swat_t)
  logging_search_logs(swat_t)
  
@@ -91172,7 +91584,7 @@ index 2b7c441..b74b683 100644
  optional_policy(`
  	cups_read_rw_config(swat_t)
  	cups_stream_connect(swat_t)
-@@ -840,17 +921,20 @@ optional_policy(`
+@@ -840,17 +922,20 @@ optional_policy(`
  # Winbind local policy
  #
  
@@ -91198,7 +91610,7 @@ index 2b7c441..b74b683 100644
  
  allow winbind_t samba_etc_t:dir list_dir_perms;
  read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +944,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +945,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
  filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
  
  manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -91209,7 +91621,7 @@ index 2b7c441..b74b683 100644
  manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
  
  manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,38 +955,41 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,38 +956,41 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
  
  rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
  
@@ -91262,7 +91674,7 @@ index 2b7c441..b74b683 100644
  corenet_tcp_connect_smbd_port(winbind_t)
  corenet_tcp_connect_epmap_port(winbind_t)
  corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,38 +997,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,38 +998,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
  dev_read_sysfs(winbind_t)
  dev_read_urand(winbind_t)
  
@@ -91321,7 +91733,7 @@ index 2b7c441..b74b683 100644
  ')
  
  optional_policy(`
-@@ -959,31 +1058,35 @@ optional_policy(`
+@@ -959,31 +1059,35 @@ optional_policy(`
  # Winbind helper local policy
  #
  
@@ -91364,7 +91776,7 @@ index 2b7c441..b74b683 100644
  
  optional_policy(`
  	apache_append_log(winbind_helper_t)
-@@ -997,25 +1100,38 @@ optional_policy(`
+@@ -997,25 +1101,38 @@ optional_policy(`
  
  ########################################
  #
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b88f90a..779a794 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 141%{?dist}
+Release: 142%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -647,6 +647,40 @@ exit 0
 %endif
 
 %changelog
+* Tue Aug 18 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-142
+- Allow samba_net_t to manage samba_var_t sock files.
+- Allow httpd daemon to manage httpd_var_lib_t lnk_files.
+- Allow collectd stream connect to pdns.(BZ #1191044)
+- Add interface pdns_stream_connect()
+- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
+- Allow chronyd exec systemctl
+- Merge pull request #30 from vmojzis/rawhide-contrib
+- Hsqldb policy upgrade -Allow sock_file management
+- Add inteface chronyd_signal Allow timemaster_t send generic signals to chronyd_t.
+- Hsqldb policy upgrade.  -Disallow hsqldb_tmp_t link_file management
+- Hsqldb policy upgrade:  -Remove tmp link_file transition  -Add policy summary  -Remove redundant parameter for "hsqldb_admin" interface
+- Label /var/run/chrony-helper dir as chronyd_var_run_t.
+- Allow lldpad_t to getattr tmpfs_t. Label /dev/shm/lldpad.* as lldapd_tmpfs_t
+- Fix label on /var/tmp/kiprop_0
+- Add mountpoint dontaudit access check in rhsmcertd policy.
+- Allow pcp_domain to manage pcp_var_lib_t lnk_files.
+- Allow chronyd to execute mkdir command.
+- Allow chronyd_t to read dhcpc state.
+- Label /usr/libexec/chrony-helper as chronyd_exec_t
+- Allow openhpid liboa_soap plugin to read resolv.conf file.
+- Allow openhpid liboa_soap plugin to read generic certs.
+- Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device)
+- Allow logrotate to reload services.
+- Allow apcupsd_t to read /sys/devices
+- Allow kpropd to connect to kropd tcp port.
+- Allow systemd_networkd to send logs to syslog.
+- Added interface fs_dontaudit_write_configfs_dirs
+- Allow audisp client to read system state.
+- Label /var/run/xtables.lock as iptables_var_run_t.
+-  Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde
+- Add interface to read/write watchdog device.
+- Add transition rule for iptables_var_lib_t
+
 * Mon Aug 10 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-141
 - Allow chronyd to execute mkdir command.
 - Allow chronyd_t to read dhcpc state.