diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 35c2662..251805a 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 1593fb5..337540a 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -11023,7 +11023,7 @@ index b876c48..03f9342 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..f0133ab 100644
+index f962f76..917b5b2 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -11279,7 +11279,32 @@ index f962f76..f0133ab 100644
allow $1 non_security_file_type:file mounton;
')
-@@ -582,6 +748,42 @@ interface(`files_getattr_all_files',`
+@@ -545,6 +711,24 @@ interface(`files_write_non_security_dirs',`
+
+ ########################################
+ ##
++## Allow attempts to setattr any directory
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_setattr_non_security_dirs',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ allow $1 non_security_file_type:dir { read setattr };
++')
++
++########################################
++##
+ ## Allow attempts to manage non-security directories
+ ##
+ ##
+@@ -582,6 +766,42 @@ interface(`files_getattr_all_files',`
########################################
##
@@ -11322,7 +11347,7 @@ index f962f76..f0133ab 100644
## Do not audit attempts to get the attributes
## of all files.
##
-@@ -620,6 +822,63 @@ interface(`files_dontaudit_getattr_non_security_files',`
+@@ -620,6 +840,63 @@ interface(`files_dontaudit_getattr_non_security_files',`
########################################
##
@@ -11386,7 +11411,7 @@ index f962f76..f0133ab 100644
## Read all files.
##
##
-@@ -683,88 +942,83 @@ interface(`files_read_non_security_files',`
+@@ -683,88 +960,83 @@ interface(`files_read_non_security_files',`
attribute non_security_file_type;
')
@@ -11504,7 +11529,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -772,55 +1026,173 @@ interface(`files_read_all_symlinks_except',`
+@@ -772,40 +1044,158 @@ interface(`files_read_all_symlinks_except',`
##
##
#
@@ -11566,23 +11591,19 @@ index f962f76..f0133ab 100644
+##
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
- ##
- ##
- #
--interface(`files_dontaudit_read_all_symlinks',`
++##
++##
++#
+interface(`files_read_all_dirs_except',`
- gen_require(`
- attribute file_type;
- ')
-
-- dontaudit $1 file_type:lnk_file read;
++ gen_require(`
++ attribute file_type;
++ ')
++
+ allow $1 { file_type $2 }:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to get the attributes
--## of non security symbolic links.
++')
++
++########################################
++##
+## Read all files on the filesystem, except
+## the listed exceptions.
+##
@@ -11675,25 +11696,10 @@ index f962f76..f0133ab 100644
+##
+##
+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_read_all_symlinks',`
-+ gen_require(`
-+ attribute file_type;
-+ ')
-+
-+ dontaudit $1 file_type:lnk_file read;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to get the attributes
-+## of non security symbolic links.
- ##
- ##
- ##
-@@ -953,6 +1325,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
+ ##
+ ##
+ #
+@@ -953,6 +1343,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
########################################
##
@@ -11719,7 +11725,7 @@ index f962f76..f0133ab 100644
## Get the attributes of all named sockets.
##
##
-@@ -991,6 +1382,44 @@ interface(`files_dontaudit_getattr_all_sockets',`
+@@ -991,6 +1400,44 @@ interface(`files_dontaudit_getattr_all_sockets',`
########################################
##
@@ -11764,7 +11770,7 @@ index f962f76..f0133ab 100644
## Do not audit attempts to get the attributes
## of non security named sockets.
##
-@@ -1073,13 +1502,12 @@ interface(`files_relabel_all_files',`
+@@ -1073,13 +1520,12 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -11781,7 +11787,7 @@ index f962f76..f0133ab 100644
')
########################################
-@@ -1140,6 +1568,8 @@ interface(`files_manage_all_files',`
+@@ -1140,6 +1586,8 @@ interface(`files_manage_all_files',`
# satisfy the assertions:
seutil_create_bin_policy($1)
files_manage_kernel_modules($1)
@@ -11790,7 +11796,7 @@ index f962f76..f0133ab 100644
')
########################################
-@@ -1182,24 +1612,6 @@ interface(`files_list_all',`
+@@ -1182,24 +1630,6 @@ interface(`files_list_all',`
########################################
##
@@ -11815,7 +11821,7 @@ index f962f76..f0133ab 100644
## Do not audit attempts to search the
## contents of any directories on extended
## attribute filesystems.
-@@ -1444,8 +1856,8 @@ interface(`files_relabel_non_auth_files',`
+@@ -1444,8 +1874,8 @@ interface(`files_relabel_non_auth_files',`
relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
@@ -11826,7 +11832,7 @@ index f962f76..f0133ab 100644
')
#############################################
-@@ -1601,6 +2013,24 @@ interface(`files_setattr_all_mountpoints',`
+@@ -1601,6 +2031,24 @@ interface(`files_setattr_all_mountpoints',`
########################################
##
@@ -11851,7 +11857,7 @@ index f962f76..f0133ab 100644
## Do not audit attempts to set the attributes on all mount points.
##
##
-@@ -1691,44 +2121,44 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1691,44 +2139,44 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
##
@@ -11910,7 +11916,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -1736,94 +2166,223 @@ interface(`files_list_root',`
+@@ -1736,79 +2184,208 @@ interface(`files_list_root',`
##
##
#
@@ -12004,24 +12010,19 @@ index f962f76..f0133ab 100644
#
-interface(`files_dontaudit_read_root_files',`
+interface(`files_write_all_dirs',`
- gen_require(`
-- type root_t;
++ gen_require(`
+ attribute file_type;
- ')
-
-- dontaudit $1 root_t:file { getattr read };
++ ')
++
+ allow $1 file_type:dir write;
- ')
-
- ########################################
- ##
--## Do not audit attempts to read or write
--## files in the root directory.
++')
++
++########################################
++##
+## List the contents of the root directory.
- ##
- ##
- ##
--## Domain to not audit.
++##
++##
++##
+## Domain allowed access.
+##
+##
@@ -12155,25 +12156,10 @@ index f962f76..f0133ab 100644
+##
+#
+interface(`files_dontaudit_read_root_files',`
-+ gen_require(`
-+ type root_t;
-+ ')
-+
-+ dontaudit $1 root_t:file { getattr read };
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read or write
-+## files in the root directory.
-+##
-+##
-+##
-+## Domain to not audit.
- ##
- ##
- #
-@@ -1892,25 +2451,25 @@ interface(`files_delete_root_dir_entry',`
+ gen_require(`
+ type root_t;
+ ')
+@@ -1892,25 +2469,25 @@ interface(`files_delete_root_dir_entry',`
########################################
##
@@ -12205,7 +12191,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -1923,7 +2482,7 @@ interface(`files_relabel_rootfs',`
+@@ -1923,7 +2500,7 @@ interface(`files_relabel_rootfs',`
type root_t;
')
@@ -12214,7 +12200,7 @@ index f962f76..f0133ab 100644
')
########################################
-@@ -1946,6 +2505,42 @@ interface(`files_unmount_rootfs',`
+@@ -1946,6 +2523,42 @@ interface(`files_unmount_rootfs',`
########################################
##
@@ -12257,7 +12243,7 @@ index f962f76..f0133ab 100644
## Get attributes of the /boot directory.
##
##
-@@ -2181,6 +2776,24 @@ interface(`files_relabelfrom_boot_files',`
+@@ -2181,6 +2794,24 @@ interface(`files_relabelfrom_boot_files',`
relabelfrom_files_pattern($1, boot_t, boot_t)
')
@@ -12282,7 +12268,7 @@ index f962f76..f0133ab 100644
######################################
##
## Read symbolic links in the /boot directory.
-@@ -2645,6 +3258,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2645,6 +3276,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -12307,7 +12293,7 @@ index f962f76..f0133ab 100644
##########################################
##
## Manage generic directories in /etc
-@@ -2716,6 +3347,7 @@ interface(`files_read_etc_files',`
+@@ -2716,6 +3365,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -12315,7 +12301,7 @@ index f962f76..f0133ab 100644
')
########################################
-@@ -2724,7 +3356,7 @@ interface(`files_read_etc_files',`
+@@ -2724,7 +3374,7 @@ interface(`files_read_etc_files',`
##
##
##
@@ -12324,7 +12310,7 @@ index f962f76..f0133ab 100644
##
##
#
-@@ -2780,6 +3412,25 @@ interface(`files_manage_etc_files',`
+@@ -2780,6 +3430,25 @@ interface(`files_manage_etc_files',`
########################################
##
@@ -12350,7 +12336,7 @@ index f962f76..f0133ab 100644
## Delete system configuration files in /etc.
##
##
-@@ -2798,6 +3449,24 @@ interface(`files_delete_etc_files',`
+@@ -2798,6 +3467,24 @@ interface(`files_delete_etc_files',`
########################################
##
@@ -12375,7 +12361,7 @@ index f962f76..f0133ab 100644
## Execute generic files in /etc.
##
##
-@@ -2963,24 +3632,6 @@ interface(`files_delete_boot_flag',`
+@@ -2963,24 +3650,6 @@ interface(`files_delete_boot_flag',`
########################################
##
@@ -12400,7 +12386,7 @@ index f962f76..f0133ab 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
##
-@@ -3021,9 +3672,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3021,9 +3690,7 @@ interface(`files_read_etc_runtime_files',`
########################################
##
@@ -12411,7 +12397,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -3031,18 +3680,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3031,18 +3698,17 @@ interface(`files_read_etc_runtime_files',`
##
##
#
@@ -12433,7 +12419,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -3060,6 +3708,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3060,6 +3726,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
##
@@ -12460,7 +12446,7 @@ index f962f76..f0133ab 100644
## Read and write files in /etc that are dynamically
## created on boot, such as mtab.
##
-@@ -3077,6 +3745,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3077,6 +3763,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -12468,7 +12454,7 @@ index f962f76..f0133ab 100644
')
########################################
-@@ -3098,6 +3767,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3098,6 +3785,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -12476,7 +12462,7 @@ index f962f76..f0133ab 100644
')
########################################
-@@ -3142,10 +3812,48 @@ interface(`files_etc_filetrans_etc_runtime',`
+@@ -3142,10 +3830,48 @@ interface(`files_etc_filetrans_etc_runtime',`
#
interface(`files_getattr_isid_type_dirs',`
gen_require(`
@@ -12527,7 +12513,7 @@ index f962f76..f0133ab 100644
')
########################################
-@@ -3161,10 +3869,10 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3161,10 +3887,10 @@ interface(`files_getattr_isid_type_dirs',`
#
interface(`files_dontaudit_search_isid_type_dirs',`
gen_require(`
@@ -12540,7 +12526,7 @@ index f962f76..f0133ab 100644
')
########################################
-@@ -3180,10 +3888,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
+@@ -3180,10 +3906,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
#
interface(`files_list_isid_type_dirs',`
gen_require(`
@@ -12553,7 +12539,7 @@ index f962f76..f0133ab 100644
')
########################################
-@@ -3199,10 +3907,10 @@ interface(`files_list_isid_type_dirs',`
+@@ -3199,10 +3925,10 @@ interface(`files_list_isid_type_dirs',`
#
interface(`files_rw_isid_type_dirs',`
gen_require(`
@@ -12566,7 +12552,7 @@ index f962f76..f0133ab 100644
')
########################################
-@@ -3218,10 +3926,66 @@ interface(`files_rw_isid_type_dirs',`
+@@ -3218,10 +3944,66 @@ interface(`files_rw_isid_type_dirs',`
#
interface(`files_delete_isid_type_dirs',`
gen_require(`
@@ -12635,7 +12621,7 @@ index f962f76..f0133ab 100644
')
########################################
-@@ -3237,10 +4001,10 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3237,10 +4019,10 @@ interface(`files_delete_isid_type_dirs',`
#
interface(`files_manage_isid_type_dirs',`
gen_require(`
@@ -12648,7 +12634,7 @@ index f962f76..f0133ab 100644
')
########################################
-@@ -3256,10 +4020,29 @@ interface(`files_manage_isid_type_dirs',`
+@@ -3256,10 +4038,29 @@ interface(`files_manage_isid_type_dirs',`
#
interface(`files_mounton_isid_type_dirs',`
gen_require(`
@@ -12680,7 +12666,7 @@ index f962f76..f0133ab 100644
')
########################################
-@@ -3275,10 +4058,10 @@ interface(`files_mounton_isid_type_dirs',`
+@@ -3275,10 +4076,10 @@ interface(`files_mounton_isid_type_dirs',`
#
interface(`files_read_isid_type_files',`
gen_require(`
@@ -12693,7 +12679,7 @@ index f962f76..f0133ab 100644
')
########################################
-@@ -3294,10 +4077,10 @@ interface(`files_read_isid_type_files',`
+@@ -3294,10 +4095,10 @@ interface(`files_read_isid_type_files',`
#
interface(`files_delete_isid_type_files',`
gen_require(`
@@ -12706,7 +12692,7 @@ index f962f76..f0133ab 100644
')
########################################
-@@ -3313,10 +4096,10 @@ interface(`files_delete_isid_type_files',`
+@@ -3313,10 +4114,10 @@ interface(`files_delete_isid_type_files',`
#
interface(`files_delete_isid_type_symlinks',`
gen_require(`
@@ -12719,7 +12705,7 @@ index f962f76..f0133ab 100644
')
########################################
-@@ -3332,10 +4115,10 @@ interface(`files_delete_isid_type_symlinks',`
+@@ -3332,10 +4133,10 @@ interface(`files_delete_isid_type_symlinks',`
#
interface(`files_delete_isid_type_fifo_files',`
gen_require(`
@@ -12732,7 +12718,7 @@ index f962f76..f0133ab 100644
')
########################################
-@@ -3351,10 +4134,10 @@ interface(`files_delete_isid_type_fifo_files',`
+@@ -3351,10 +4152,10 @@ interface(`files_delete_isid_type_fifo_files',`
#
interface(`files_delete_isid_type_sock_files',`
gen_require(`
@@ -12745,7 +12731,7 @@ index f962f76..f0133ab 100644
')
########################################
-@@ -3370,10 +4153,10 @@ interface(`files_delete_isid_type_sock_files',`
+@@ -3370,10 +4171,10 @@ interface(`files_delete_isid_type_sock_files',`
#
interface(`files_delete_isid_type_blk_files',`
gen_require(`
@@ -12758,7 +12744,7 @@ index f962f76..f0133ab 100644
')
########################################
-@@ -3389,10 +4172,10 @@ interface(`files_delete_isid_type_blk_files',`
+@@ -3389,10 +4190,10 @@ interface(`files_delete_isid_type_blk_files',`
#
interface(`files_dontaudit_write_isid_chr_files',`
gen_require(`
@@ -12771,7 +12757,7 @@ index f962f76..f0133ab 100644
')
########################################
-@@ -3408,10 +4191,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
+@@ -3408,10 +4209,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
#
interface(`files_delete_isid_type_chr_files',`
gen_require(`
@@ -12784,7 +12770,7 @@ index f962f76..f0133ab 100644
')
########################################
-@@ -3427,10 +4210,10 @@ interface(`files_delete_isid_type_chr_files',`
+@@ -3427,10 +4228,10 @@ interface(`files_delete_isid_type_chr_files',`
#
interface(`files_manage_isid_type_files',`
gen_require(`
@@ -12797,7 +12783,7 @@ index f962f76..f0133ab 100644
')
########################################
-@@ -3446,10 +4229,10 @@ interface(`files_manage_isid_type_files',`
+@@ -3446,10 +4247,10 @@ interface(`files_manage_isid_type_files',`
#
interface(`files_manage_isid_type_symlinks',`
gen_require(`
@@ -12810,7 +12796,7 @@ index f962f76..f0133ab 100644
')
########################################
-@@ -3465,10 +4248,29 @@ interface(`files_manage_isid_type_symlinks',`
+@@ -3465,10 +4266,29 @@ interface(`files_manage_isid_type_symlinks',`
#
interface(`files_rw_isid_type_blk_files',`
gen_require(`
@@ -12842,7 +12828,7 @@ index f962f76..f0133ab 100644
')
########################################
-@@ -3484,10 +4286,10 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3484,10 +4304,10 @@ interface(`files_rw_isid_type_blk_files',`
#
interface(`files_manage_isid_type_blk_files',`
gen_require(`
@@ -12855,7 +12841,7 @@ index f962f76..f0133ab 100644
')
########################################
-@@ -3503,10 +4305,10 @@ interface(`files_manage_isid_type_blk_files',`
+@@ -3503,10 +4323,10 @@ interface(`files_manage_isid_type_blk_files',`
#
interface(`files_manage_isid_type_chr_files',`
gen_require(`
@@ -12868,7 +12854,7 @@ index f962f76..f0133ab 100644
')
########################################
-@@ -3552,6 +4354,27 @@ interface(`files_dontaudit_getattr_home_dir',`
+@@ -3552,6 +4372,27 @@ interface(`files_dontaudit_getattr_home_dir',`
########################################
##
@@ -12896,7 +12882,7 @@ index f962f76..f0133ab 100644
## Search home directories root (/home).
##
##
-@@ -3814,20 +4637,38 @@ interface(`files_list_mnt',`
+@@ -3814,20 +4655,38 @@ interface(`files_list_mnt',`
######################################
##
@@ -12940,7 +12926,7 @@ index f962f76..f0133ab 100644
')
########################################
-@@ -4012,6 +4853,12 @@ interface(`files_read_kernel_modules',`
+@@ -4012,6 +4871,12 @@ interface(`files_read_kernel_modules',`
allow $1 modules_object_t:dir list_dir_perms;
read_files_pattern($1, modules_object_t, modules_object_t)
read_lnk_files_pattern($1, modules_object_t, modules_object_t)
@@ -12953,7 +12939,7 @@ index f962f76..f0133ab 100644
')
########################################
-@@ -4217,192 +5064,218 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,192 +5082,218 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -13213,12 +13199,11 @@ index f962f76..f0133ab 100644
########################################
##
-## Read files in the tmp directory (/tmp).
--##
--##
+## Allow the specified type to associate
+## to a filesystem with the type of the
+## temporary directory (/tmp).
-+##
+ ##
+-##
+##
##
-## Domain allowed access.
@@ -13269,7 +13254,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -4410,53 +5283,56 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4410,53 +5301,56 @@ interface(`files_manage_generic_tmp_dirs',`
##
##
#
@@ -13338,7 +13323,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -4464,77 +5340,93 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4464,77 +5358,93 @@ interface(`files_rw_generic_tmp_sockets',`
##
##
#
@@ -13456,7 +13441,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -4542,110 +5434,116 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+@@ -4542,110 +5452,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
##
##
#
@@ -13573,40 +13558,25 @@ index f962f76..f0133ab 100644
-##
-##
-##
-+#
-+interface(`files_manage_generic_tmp_files',`
-+ gen_require(`
-+ type tmp_t;
-+ ')
-+
-+ manage_files_pattern($1, tmp_t, tmp_t)
-+')
-+
-+########################################
-+##
-+## Read symbolic links in the tmp directory (/tmp).
-+##
-+##
- ##
+-##
-## The name of the object being created.
-+## Domain allowed access.
- ##
- ##
+-##
+-##
#
-interface(`files_tmp_filetrans',`
-+interface(`files_read_generic_tmp_symlinks',`
++interface(`files_manage_generic_tmp_files',`
gen_require(`
type tmp_t;
')
- filetrans_pattern($1, tmp_t, $2, $3, $4)
-+ read_lnk_files_pattern($1, tmp_t, tmp_t)
++ manage_files_pattern($1, tmp_t, tmp_t)
')
########################################
##
-## Delete the contents of /tmp.
-+## Read and write generic named sockets in the tmp directory (/tmp).
++## Read symbolic links in the tmp directory (/tmp).
##
##
##
@@ -13615,7 +13585,7 @@ index f962f76..f0133ab 100644
##
#
-interface(`files_purge_tmp',`
-+interface(`files_rw_generic_tmp_sockets',`
++interface(`files_read_generic_tmp_symlinks',`
gen_require(`
- attribute tmpfile;
+ type tmp_t;
@@ -13627,13 +13597,13 @@ index f962f76..f0133ab 100644
- delete_lnk_files_pattern($1, tmpfile, tmpfile)
- delete_fifo_files_pattern($1, tmpfile, tmpfile)
- delete_sock_files_pattern($1, tmpfile, tmpfile)
-+ rw_sock_files_pattern($1, tmp_t, tmp_t)
++ read_lnk_files_pattern($1, tmp_t, tmp_t)
')
########################################
##
-## Set the attributes of the /usr directory.
-+## Relabel a dir from the type used in /tmp.
++## Read and write generic named sockets in the tmp directory (/tmp).
##
##
##
@@ -13642,20 +13612,20 @@ index f962f76..f0133ab 100644
##
#
-interface(`files_setattr_usr_dirs',`
-+interface(`files_relabelfrom_tmp_dirs',`
++interface(`files_rw_generic_tmp_sockets',`
gen_require(`
- type usr_t;
+ type tmp_t;
')
- allow $1 usr_t:dir setattr;
-+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
++ rw_sock_files_pattern($1, tmp_t, tmp_t)
')
########################################
##
-## Search the content of /usr.
-+## Relabel a file from the type used in /tmp.
++## Relabel a dir from the type used in /tmp.
##
##
##
@@ -13664,21 +13634,21 @@ index f962f76..f0133ab 100644
##
#
-interface(`files_search_usr',`
-+interface(`files_relabelfrom_tmp_files',`
++interface(`files_relabelfrom_tmp_dirs',`
gen_require(`
- type usr_t;
+ type tmp_t;
')
- allow $1 usr_t:dir search_dir_perms;
-+ relabelfrom_files_pattern($1, tmp_t, tmp_t)
++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
')
########################################
##
-## List the contents of generic
-## directories in /usr.
-+## Set the attributes of all tmp directories.
++## Relabel a file from the type used in /tmp.
##
##
##
@@ -13687,20 +13657,20 @@ index f962f76..f0133ab 100644
##
#
-interface(`files_list_usr',`
-+interface(`files_setattr_all_tmp_dirs',`
++interface(`files_relabelfrom_tmp_files',`
gen_require(`
- type usr_t;
-+ attribute tmpfile;
++ type tmp_t;
')
- allow $1 usr_t:dir list_dir_perms;
-+ allow $1 tmpfile:dir { search_dir_perms setattr };
++ relabelfrom_files_pattern($1, tmp_t, tmp_t)
')
########################################
##
-## Do not audit write of /usr dirs
-+## Allow caller to read inherited tmp files.
++## Set the attributes of all tmp directories.
##
##
##
@@ -13710,20 +13680,20 @@ index f962f76..f0133ab 100644
##
#
-interface(`files_dontaudit_write_usr_dirs',`
-+interface(`files_read_inherited_tmp_files',`
++interface(`files_setattr_all_tmp_dirs',`
gen_require(`
- type usr_t;
+ attribute tmpfile;
')
- dontaudit $1 usr_t:dir write;
-+ allow $1 tmpfile:file { append read_inherited_file_perms };
++ allow $1 tmpfile:dir { search_dir_perms setattr };
')
########################################
##
-## Add and remove entries from /usr directories.
-+## Allow caller to append inherited tmp files.
++## Allow caller to read inherited tmp files.
##
##
##
@@ -13732,21 +13702,21 @@ index f962f76..f0133ab 100644
##
#
-interface(`files_rw_usr_dirs',`
-+interface(`files_append_inherited_tmp_files',`
++interface(`files_read_inherited_tmp_files',`
gen_require(`
- type usr_t;
+ attribute tmpfile;
')
- allow $1 usr_t:dir rw_dir_perms;
-+ allow $1 tmpfile:file append_inherited_file_perms;
++ allow $1 tmpfile:file { append read_inherited_file_perms };
')
########################################
##
-## Do not audit attempts to add and remove
-## entries from /usr directories.
-+## Allow caller to read and write inherited tmp files.
++## Allow caller to append inherited tmp files.
##
##
##
@@ -13756,92 +13726,90 @@ index f962f76..f0133ab 100644
##
#
-interface(`files_dontaudit_rw_usr_dirs',`
-+interface(`files_rw_inherited_tmp_file',`
++interface(`files_append_inherited_tmp_files',`
gen_require(`
- type usr_t;
+ attribute tmpfile;
')
- dontaudit $1 usr_t:dir rw_dir_perms;
-+ allow $1 tmpfile:file rw_inherited_file_perms;
++ allow $1 tmpfile:file append_inherited_file_perms;
')
########################################
##
-## Delete generic directories in /usr in the caller domain.
-+## List all tmp directories.
++## Allow caller to read and write inherited tmp files.
##
##
##
-@@ -4786,111 +5677,100 @@ interface(`files_dontaudit_rw_usr_dirs',`
+@@ -4786,17 +5677,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
##
##
#
-interface(`files_delete_usr_dirs',`
-+interface(`files_list_all_tmp',`
++interface(`files_rw_inherited_tmp_file',`
gen_require(`
- type usr_t;
+ attribute tmpfile;
')
- delete_dirs_pattern($1, usr_t, usr_t)
-+ allow $1 tmpfile:dir list_dir_perms;
++ allow $1 tmpfile:file rw_inherited_file_perms;
')
########################################
##
-## Delete generic files in /usr in the caller domain.
-+## Relabel to and from all temporary
-+## directory types.
++## List all tmp directories.
##
##
##
- ## Domain allowed access.
+@@ -4804,73 +5695,59 @@ interface(`files_delete_usr_dirs',`
##
##
-+##
#
-interface(`files_delete_usr_files',`
-+interface(`files_relabel_all_tmp_dirs',`
++interface(`files_list_all_tmp',`
gen_require(`
- type usr_t;
+ attribute tmpfile;
-+ type var_t;
')
- delete_files_pattern($1, usr_t, usr_t)
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_dirs_pattern($1, tmpfile, tmpfile)
++ allow $1 tmpfile:dir list_dir_perms;
')
########################################
##
-## Get the attributes of files in /usr.
-+## Do not audit attempts to get the attributes
-+## of all tmp files.
++## Relabel to and from all temporary
++## directory types.
##
##
##
--## Domain allowed access.
-+## Domain to not audit.
+ ## Domain allowed access.
##
##
++##
#
-interface(`files_getattr_usr_files',`
-+interface(`files_dontaudit_getattr_all_tmp_files',`
++interface(`files_relabel_all_tmp_dirs',`
gen_require(`
- type usr_t;
+ attribute tmpfile;
++ type var_t;
')
- getattr_files_pattern($1, usr_t, usr_t)
-+ dontaudit $1 tmpfile:file getattr;
++ allow $1 var_t:dir search_dir_perms;
++ relabel_dirs_pattern($1, tmpfile, tmpfile)
')
########################################
##
-## Read generic files in /usr.
-+## Allow attempts to get the attributes
++## Do not audit attempts to get the attributes
+## of all tmp files.
##
-##
@@ -13863,13 +13831,14 @@ index f962f76..f0133ab 100644
-##
##
##
- ## Domain allowed access.
+-## Domain allowed access.
++## Domain to not audit.
##
##
-##
#
-interface(`files_read_usr_files',`
-+interface(`files_getattr_all_tmp_files',`
++interface(`files_dontaudit_getattr_all_tmp_files',`
gen_require(`
- type usr_t;
+ attribute tmpfile;
@@ -13878,67 +13847,74 @@ index f962f76..f0133ab 100644
- allow $1 usr_t:dir list_dir_perms;
- read_files_pattern($1, usr_t, usr_t)
- read_lnk_files_pattern($1, usr_t, usr_t)
-+ allow $1 tmpfile:file getattr;
++ dontaudit $1 tmpfile:file getattr;
')
########################################
##
-## Execute generic programs in /usr in the caller domain.
-+## Relabel to and from all temporary
-+## file types.
++## Allow attempts to get the attributes
++## of all tmp files.
##
##
##
- ## Domain allowed access.
+@@ -4878,55 +5755,58 @@ interface(`files_read_usr_files',`
##
##
-+##
#
-interface(`files_exec_usr_files',`
-+interface(`files_relabel_all_tmp_files',`
++interface(`files_getattr_all_tmp_files',`
gen_require(`
- type usr_t;
+ attribute tmpfile;
-+ type var_t;
')
- allow $1 usr_t:dir list_dir_perms;
- exec_files_pattern($1, usr_t, usr_t)
- read_lnk_files_pattern($1, usr_t, usr_t)
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_files_pattern($1, tmpfile, tmpfile)
++ allow $1 tmpfile:file getattr;
')
########################################
##
-## dontaudit write of /usr files
-+## Do not audit attempts to get the attributes
-+## of all tmp sock_file.
++## Relabel to and from all temporary
++## file types.
##
##
##
-@@ -4898,35 +5778,17 @@ interface(`files_exec_usr_files',`
+-## Domain to not audit.
++## Domain allowed access.
##
##
++##
#
-interface(`files_dontaudit_write_usr_files',`
-- gen_require(`
++interface(`files_relabel_all_tmp_files',`
+ gen_require(`
- type usr_t;
-- ')
--
++ attribute tmpfile;
++ type var_t;
+ ')
+
- dontaudit $1 usr_t:file write;
--')
--
--########################################
--##
++ allow $1 var_t:dir search_dir_perms;
++ relabel_files_pattern($1, tmpfile, tmpfile)
+ ')
+
+ ########################################
+ ##
-## Create, read, write, and delete files in the /usr directory.
--##
--##
--##
++## Do not audit attempts to get the attributes
++## of all tmp sock_file.
+ ##
+ ##
+ ##
-## Domain allowed access.
--##
--##
--#
++## Domain to not audit.
+ ##
+ ##
+ #
-interface(`files_manage_usr_files',`
+interface(`files_dontaudit_getattr_all_tmp_sockets',`
gen_require(`
@@ -13957,7 +13933,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -4934,67 +5796,70 @@ interface(`files_manage_usr_files',`
+@@ -4934,67 +5814,70 @@ interface(`files_manage_usr_files',`
##
##
#
@@ -14046,7 +14022,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -5003,35 +5868,50 @@ interface(`files_read_usr_symlinks',`
+@@ -5003,35 +5886,50 @@ interface(`files_read_usr_symlinks',`
##
##
#
@@ -14106,7 +14082,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -5039,20 +5919,17 @@ interface(`files_dontaudit_search_src',`
+@@ -5039,20 +5937,17 @@ interface(`files_dontaudit_search_src',`
##
##
#
@@ -14131,7 +14107,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -5060,20 +5937,18 @@ interface(`files_getattr_usr_src_files',`
+@@ -5060,20 +5955,18 @@ interface(`files_getattr_usr_src_files',`
##
##
#
@@ -14156,7 +14132,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -5081,38 +5956,35 @@ interface(`files_read_usr_src_files',`
+@@ -5081,38 +5974,35 @@ interface(`files_read_usr_src_files',`
##
##
#
@@ -14204,7 +14180,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -5120,37 +5992,36 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5120,37 +6010,36 @@ interface(`files_create_kernel_symbol_table',`
##
##
#
@@ -14252,7 +14228,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -5158,35 +6029,35 @@ interface(`files_delete_kernel_symbol_table',`
+@@ -5158,35 +6047,35 @@ interface(`files_delete_kernel_symbol_table',`
##
##
#
@@ -14297,7 +14273,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -5194,36 +6065,55 @@ interface(`files_dontaudit_write_var_dirs',`
+@@ -5194,36 +6083,55 @@ interface(`files_dontaudit_write_var_dirs',`
##
##
#
@@ -14363,7 +14339,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -5231,36 +6121,37 @@ interface(`files_dontaudit_search_var',`
+@@ -5231,36 +6139,37 @@ interface(`files_dontaudit_search_var',`
##
##
#
@@ -14411,7 +14387,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -5268,17 +6159,17 @@ interface(`files_manage_var_dirs',`
+@@ -5268,17 +6177,17 @@ interface(`files_manage_var_dirs',`
##
##
#
@@ -14433,7 +14409,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -5286,17 +6177,17 @@ interface(`files_read_var_files',`
+@@ -5286,17 +6195,17 @@ interface(`files_read_var_files',`
##
##
#
@@ -14455,7 +14431,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -5304,73 +6195,86 @@ interface(`files_append_var_files',`
+@@ -5304,73 +6213,86 @@ interface(`files_append_var_files',`
##
##
#
@@ -14562,7 +14538,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -5378,50 +6282,41 @@ interface(`files_read_var_symlinks',`
+@@ -5378,50 +6300,41 @@ interface(`files_read_var_symlinks',`
##
##
#
@@ -14627,7 +14603,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -5429,69 +6324,56 @@ interface(`files_var_filetrans',`
+@@ -5429,69 +6342,56 @@ interface(`files_var_filetrans',`
##
##
#
@@ -14712,7 +14688,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -5499,17 +6381,18 @@ interface(`files_dontaudit_search_var_lib',`
+@@ -5499,17 +6399,18 @@ interface(`files_dontaudit_search_var_lib',`
##
##
#
@@ -14736,7 +14712,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -5517,70 +6400,54 @@ interface(`files_list_var_lib',`
+@@ -5517,70 +6418,54 @@ interface(`files_list_var_lib',`
##
##
#
@@ -14820,7 +14796,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -5588,41 +6455,36 @@ interface(`files_read_var_lib_files',`
+@@ -5588,41 +6473,36 @@ interface(`files_read_var_lib_files',`
##
##
#
@@ -14872,7 +14848,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -5630,36 +6492,36 @@ interface(`files_manage_urandom_seed',`
+@@ -5630,36 +6510,36 @@ interface(`files_manage_urandom_seed',`
##
##
#
@@ -14919,7 +14895,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -5667,38 +6529,35 @@ interface(`files_setattr_lock_dirs',`
+@@ -5667,38 +6547,35 @@ interface(`files_setattr_lock_dirs',`
##
##
#
@@ -14967,7 +14943,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -5706,19 +6565,17 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,19 +6583,17 @@ interface(`files_dontaudit_search_locks',`
##
##
#
@@ -14991,7 +14967,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -5726,60 +6583,54 @@ interface(`files_list_locks',`
+@@ -5726,60 +6601,54 @@ interface(`files_list_locks',`
##
##
#
@@ -15067,7 +15043,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -5787,20 +6638,18 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,20 +6656,18 @@ interface(`files_relabel_all_lock_dirs',`
##
##
#
@@ -15093,7 +15069,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -5808,165 +6657,156 @@ interface(`files_getattr_generic_locks',`
+@@ -5808,165 +6675,156 @@ interface(`files_getattr_generic_locks',`
##
##
#
@@ -15321,7 +15297,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -5974,59 +6814,71 @@ interface(`files_dontaudit_getattr_pid_dirs',`
+@@ -5974,59 +6832,71 @@ interface(`files_dontaudit_getattr_pid_dirs',`
##
##
#
@@ -15412,7 +15388,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -6034,18 +6886,18 @@ interface(`files_dontaudit_search_pids',`
+@@ -6034,18 +6904,18 @@ interface(`files_dontaudit_search_pids',`
##
##
#
@@ -15436,47 +15412,58 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -6053,19 +6905,1228 @@ interface(`files_list_pids',`
+@@ -6053,19 +6923,21 @@ interface(`files_list_pids',`
##
##
#
-interface(`files_read_generic_pids',`
+interface(`files_manage_var_lib_symlinks',`
gen_require(`
+- type var_t, var_run_t;
+ type var_lib_t;
-+ ')
-+
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
+- read_files_pattern($1, var_run_t, var_run_t)
+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
-+')
-+
+ ')
+
+# cjp: the next two interfaces really need to be fixed
+# in some way. They really neeed their own types.
+
-+########################################
-+##
+ ########################################
+ ##
+-## Write named generic process ID pipes
+## Create, read, write, and delete the
+## pseudorandom number generator seed.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -6073,43 +6945,1377 @@ interface(`files_read_generic_pids',`
+ ##
+ ##
+ #
+-interface(`files_write_generic_pid_pipes',`
+interface(`files_manage_urandom_seed',`
-+ gen_require(`
+ gen_require(`
+- type var_run_t;
+ type var_t, var_lib_t;
-+ ')
-+
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:fifo_file write;
+ allow $1 var_t:dir search_dir_perms;
+ manage_files_pattern($1, var_lib_t, var_lib_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create an object in the process ID directory, with a private type.
+## Allow domain to manage mount tables
+## necessary for rpcd, nfsd, etc.
-+##
+ ##
+-##
+##
+##
+## Domain allowed access.
@@ -16489,12 +16476,9 @@ index f962f76..f0133ab 100644
+interface(`files_delete_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
- type var_t, var_run_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-- read_files_pattern($1, var_run_t, var_run_t)
++ type var_t, var_run_t;
++ ')
++
+ files_search_pids($1)
+ allow $1 var_t:dir search_dir_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
@@ -16506,21 +16490,29 @@ index f962f76..f0133ab 100644
+## used for spool files.
+##
+##
-+##
+ ##
+-## Create an object in the process ID directory (e.g., /var/run)
+-## with a private type. Typically this is used for creating
+-## private PID files in /var/run with the private type instead
+-## of the general PID file type. To accomplish this goal,
+-## either the program must be SELinux-aware, or use this interface.
+## Make the specified type usable for spool files.
+## This will also make the type usable for files, making
+## calls to files_type() redundant. Failure to use this interface
+## for a spool file may result in problems with
+## purging spool files.
-+##
-+##
-+## Related interfaces:
-+##
-+##
+ ##
+ ## Related interfaces:
+ ##
+ ##
+-## - files_pid_file()
+## - files_spool_filetrans()
-+##
-+##
-+## Example usage with a domain that can create and
+ ##
+ ##
+ ## Example usage with a domain that can create and
+-## write its PID file with a private PID file type in the
+-## /var/run directory:
+## write its spool file in the system spool file
+## directories (/var/spool):
+##
@@ -16529,7 +16521,7 @@ index f962f76..f0133ab 100644
+## files_spool_file(myfile_spool_t)
+## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
+## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
-+##
+ ##
+##
+##
+##
@@ -16660,36 +16652,30 @@ index f962f76..f0133ab 100644
+ ')
+
+ list_dirs_pattern($1, var_t, var_spool_t)
- ')
-
- ########################################
- ##
--## Write named generic process ID pipes
++')
++
++########################################
++##
+## Create, read, write, and delete generic
+## spool directories (/var/spool).
- ##
- ##
- ##
-@@ -6073,43 +8134,170 @@ interface(`files_read_generic_pids',`
- ##
- ##
- #
--interface(`files_write_generic_pid_pipes',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_manage_generic_spool_dirs',`
- gen_require(`
-- type var_run_t;
++ gen_require(`
+ type var_t, var_spool_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:fifo_file write;
++ ')
++
+ allow $1 var_t:dir search_dir_perms;
+ manage_dirs_pattern($1, var_spool_t, var_spool_t)
- ')
-
- ########################################
- ##
--## Create an object in the process ID directory, with a private type.
++')
++
++########################################
++##
+## Read generic spool files.
+##
+##
@@ -16839,27 +16825,9 @@ index f962f76..f0133ab 100644
+########################################
+##
+## Create a core files in /
- ##
- ##
++##
++##
##
--## Create an object in the process ID directory (e.g., /var/run)
--## with a private type. Typically this is used for creating
--## private PID files in /var/run with the private type instead
--## of the general PID file type. To accomplish this goal,
--## either the program must be SELinux-aware, or use this interface.
--##
--##
--## Related interfaces:
--##
--##
--## - files_pid_file()
--##
--##
--## Example usage with a domain that can create and
--## write its PID file with a private PID file type in the
--## /var/run directory:
--##
--##
-## type mypidfile_t;
-## files_pid_file(mypidfile_t)
-## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
@@ -16868,7 +16836,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -6117,80 +8305,157 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6117,80 +8323,157 @@ interface(`files_write_generic_pid_pipes',`
## Domain allowed access.
##
##
@@ -17055,7 +17023,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -6198,19 +8463,17 @@ interface(`files_rw_generic_pids',`
+@@ -6198,19 +8481,17 @@ interface(`files_rw_generic_pids',`
##
##
#
@@ -17079,7 +17047,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -6218,18 +8481,17 @@ interface(`files_dontaudit_getattr_all_pids',`
+@@ -6218,18 +8499,17 @@ interface(`files_dontaudit_getattr_all_pids',`
##
##
#
@@ -17102,7 +17070,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -6237,129 +8499,119 @@ interface(`files_dontaudit_write_all_pids',`
+@@ -6237,129 +8517,119 @@ interface(`files_dontaudit_write_all_pids',`
##
##
#
@@ -17272,7 +17240,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -6367,18 +8619,19 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,18 +8637,19 @@ interface(`files_mounton_all_poly_members',`
##
##
#
@@ -17297,7 +17265,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -6386,132 +8639,227 @@ interface(`files_search_spool',`
+@@ -6386,132 +8657,227 @@ interface(`files_search_spool',`
##
##
#
@@ -17571,7 +17539,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -6519,53 +8867,17 @@ interface(`files_spool_filetrans',`
+@@ -6519,53 +8885,17 @@ interface(`files_spool_filetrans',`
##
##
#
@@ -17629,7 +17597,7 @@ index f962f76..f0133ab 100644
##
##
##
-@@ -6573,10 +8885,10 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +8903,10 @@ interface(`files_polyinstantiate_all',`
##
##
#
@@ -25224,7 +25192,7 @@ index ff92430..36740ea 100644
##
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6..a73a163 100644
+index 2522ca6..f7ff2c7 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,88 @@ policy_module(sysadm, 2.6.1)
@@ -25388,14 +25356,14 @@ index 2522ca6..a73a163 100644
+
+optional_policy(`
+ consoletype_exec(sysadm_t)
++')
++
++optional_policy(`
++ daemonstools_run_start(sysadm_t, sysadm_r)
')
optional_policy(`
- cvs_exec(sysadm_t)
-+ daemonstools_run_start(sysadm_t, sysadm_r)
-+')
-+
-+optional_policy(`
+ dbus_role_template(sysadm, sysadm_r, sysadm_t)
+
+ dontaudit sysadm_dbusd_t self:capability net_admin;
@@ -25430,7 +25398,19 @@ index 2522ca6..a73a163 100644
fstools_run(sysadm_t, sysadm_r)
')
-@@ -172,13 +246,31 @@ optional_policy(`
+@@ -164,6 +238,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ hwloc_admin(sysadm_t)
++ hwloc_run_dhwd(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
+ hadoop_role(sysadm_r, sysadm_t)
+ ')
+
+@@ -172,13 +251,31 @@ optional_policy(`
# at things (e.g., ipsec auto --status)
# probably should create an ipsec_admin role for this kind of thing
ipsec_exec_mgmt(sysadm_t)
@@ -25462,7 +25442,7 @@ index 2522ca6..a73a163 100644
')
optional_policy(`
-@@ -190,11 +282,12 @@ optional_policy(`
+@@ -190,11 +287,12 @@ optional_policy(`
')
optional_policy(`
@@ -25477,7 +25457,7 @@ index 2522ca6..a73a163 100644
')
optional_policy(`
-@@ -210,22 +303,20 @@ optional_policy(`
+@@ -210,22 +308,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -25506,7 +25486,7 @@ index 2522ca6..a73a163 100644
')
optional_policy(`
-@@ -237,14 +328,28 @@ optional_policy(`
+@@ -237,14 +333,28 @@ optional_policy(`
')
optional_policy(`
@@ -25535,7 +25515,7 @@ index 2522ca6..a73a163 100644
')
optional_policy(`
-@@ -252,10 +357,20 @@ optional_policy(`
+@@ -252,10 +362,20 @@ optional_policy(`
')
optional_policy(`
@@ -25556,7 +25536,7 @@ index 2522ca6..a73a163 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -266,35 +381,41 @@ optional_policy(`
+@@ -266,35 +386,41 @@ optional_policy(`
')
optional_policy(`
@@ -25605,7 +25585,7 @@ index 2522ca6..a73a163 100644
')
optional_policy(`
-@@ -308,6 +429,7 @@ optional_policy(`
+@@ -308,6 +434,7 @@ optional_policy(`
optional_policy(`
screen_role_template(sysadm, sysadm_r, sysadm_t)
@@ -25613,7 +25593,7 @@ index 2522ca6..a73a163 100644
')
optional_policy(`
-@@ -315,12 +437,20 @@ optional_policy(`
+@@ -315,12 +442,20 @@ optional_policy(`
')
optional_policy(`
@@ -25635,7 +25615,7 @@ index 2522ca6..a73a163 100644
')
optional_policy(`
-@@ -345,30 +475,37 @@ optional_policy(`
+@@ -345,30 +480,37 @@ optional_policy(`
')
optional_policy(`
@@ -25682,7 +25662,7 @@ index 2522ca6..a73a163 100644
')
optional_policy(`
-@@ -380,10 +517,6 @@ optional_policy(`
+@@ -380,10 +522,6 @@ optional_policy(`
')
optional_policy(`
@@ -25693,7 +25673,7 @@ index 2522ca6..a73a163 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -391,6 +524,9 @@ optional_policy(`
+@@ -391,6 +529,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -25703,7 +25683,7 @@ index 2522ca6..a73a163 100644
')
optional_policy(`
-@@ -398,31 +534,34 @@ optional_policy(`
+@@ -398,31 +539,34 @@ optional_policy(`
')
optional_policy(`
@@ -25744,7 +25724,7 @@ index 2522ca6..a73a163 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -435,10 +574,6 @@ ifndef(`distro_redhat',`
+@@ -435,10 +579,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -25755,7 +25735,7 @@ index 2522ca6..a73a163 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -459,15 +594,79 @@ ifndef(`distro_redhat',`
+@@ -459,15 +599,79 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -50509,7 +50489,7 @@ index db75976..c54480a 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..e6556aa 100644
+index 9dc60c6..595ad40 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -51204,7 +51184,7 @@ index 9dc60c6..e6556aa 100644
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
-@@ -546,93 +737,132 @@ template(`userdom_common_user_template',`
+@@ -546,93 +737,137 @@ template(`userdom_common_user_template',`
selinux_compute_user_contexts($1_t)
# for eject
@@ -51315,18 +51295,23 @@ index 9dc60c6..e6556aa 100644
optional_policy(`
- consolekit_dbus_chat($1_t)
+ hal_dbus_chat($1_usertype)
- ')
-
- optional_policy(`
-- cups_dbus_chat_config($1_t)
-+ kde_dbus_chat_backlighthelper($1_usertype)
+ ')
+
++ optional_policy(`
++ hwloc_exec_dhwd($1_t)
++ hwloc_read_runtime_files($1_t)
++ ')
++
++ optional_policy(`
++ kde_dbus_chat_backlighthelper($1_usertype)
+ ')
+
+ optional_policy(`
+ memcached_stream_connect($1_usertype)
+ ')
+
-+ optional_policy(`
+ optional_policy(`
+- cups_dbus_chat_config($1_t)
+ modemmanager_dbus_chat($1_usertype)
')
@@ -51351,31 +51336,31 @@ index 9dc60c6..e6556aa 100644
- inetd_use_fds($1_t)
- inetd_rw_tcp_sockets($1_t)
+ git_role($1_r, $1_t)
++ ')
++
++ optional_policy(`
++ inetd_use_fds($1_usertype)
++ inetd_rw_tcp_sockets($1_usertype)
')
optional_policy(`
- inn_read_config($1_t)
- inn_read_news_lib($1_t)
- inn_read_news_spool($1_t)
-+ inetd_use_fds($1_usertype)
-+ inetd_rw_tcp_sockets($1_usertype)
++ inn_read_config($1_usertype)
++ inn_read_news_lib($1_usertype)
++ inn_read_news_spool($1_usertype)
')
optional_policy(`
- kerberos_manage_krb5_home_files($1_t)
- kerberos_relabel_krb5_home_files($1_t)
- kerberos_home_filetrans_krb5_home($1_t, file, ".k5login")
-+ inn_read_config($1_usertype)
-+ inn_read_news_lib($1_usertype)
-+ inn_read_news_spool($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ lircd_stream_connect($1_usertype)
')
optional_policy(`
-@@ -642,23 +872,21 @@ template(`userdom_common_user_template',`
+@@ -642,23 +877,21 @@ template(`userdom_common_user_template',`
optional_policy(`
mpd_manage_user_data_content($1_t)
mpd_relabel_user_data_content($1_t)
@@ -51404,7 +51389,7 @@ index 9dc60c6..e6556aa 100644
mysql_stream_connect($1_t)
')
')
-@@ -671,7 +899,7 @@ template(`userdom_common_user_template',`
+@@ -671,7 +904,7 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -51413,7 +51398,7 @@ index 9dc60c6..e6556aa 100644
')
optional_policy(`
-@@ -680,9 +908,9 @@ template(`userdom_common_user_template',`
+@@ -680,9 +913,9 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -51426,7 +51411,7 @@ index 9dc60c6..e6556aa 100644
')
')
-@@ -693,32 +921,35 @@ template(`userdom_common_user_template',`
+@@ -693,32 +926,35 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -51473,7 +51458,7 @@ index 9dc60c6..e6556aa 100644
')
')
-@@ -743,17 +974,32 @@ template(`userdom_common_user_template',`
+@@ -743,17 +979,32 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -51492,9 +51477,7 @@ index 9dc60c6..e6556aa 100644
+
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable($1_exec_content, true)
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
++
+ tunable_policy(`$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -51502,7 +51485,9 @@ index 9dc60c6..e6556aa 100644
+ tunable_policy(`$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
-+
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
+ tunable_policy(`$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
@@ -51510,7 +51495,7 @@ index 9dc60c6..e6556aa 100644
userdom_change_password_template($1)
-@@ -761,82 +1007,112 @@ template(`userdom_login_user_template', `
+@@ -761,82 +1012,112 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -51586,14 +51571,14 @@ index 9dc60c6..e6556aa 100644
- init_dontaudit_use_script_fds($1_t)
+ init_dontaudit_use_fds($1_usertype)
+ init_dontaudit_use_script_fds($1_usertype)
-
-- libs_exec_lib_files($1_t)
++
+ # Needed by pam_selinux.so calling in systemd-users
+ init_entrypoint_exec(login_userdomain)
-- logging_dontaudit_getattr_all_logs($1_t)
+- libs_exec_lib_files($1_t)
+ libs_exec_lib_files($1_usertype)
-+
+
+- logging_dontaudit_getattr_all_logs($1_t)
+ logging_dontaudit_getattr_all_logs($1_usertype)
- miscfiles_read_man_pages($1_t)
@@ -51659,7 +51644,7 @@ index 9dc60c6..e6556aa 100644
')
')
-@@ -868,6 +1144,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1149,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -51672,7 +51657,7 @@ index 9dc60c6..e6556aa 100644
##############################
#
# Local policy
-@@ -907,53 +1189,137 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,53 +1194,137 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
@@ -51692,14 +51677,10 @@ index 9dc60c6..e6556aa 100644
+ dev_read_rand($1_usertype)
- logging_send_syslog_msg($1_t)
-- logging_dontaudit_send_audit_msgs($1_t)
+ dev_read_video_dev($1_usertype)
+ dev_write_video_dev($1_usertype)
+ dev_rw_wireless($1_usertype)
-
-- # Need to to this just so screensaver will work. Should be moved to screensaver domain
-- logging_send_audit_msgs($1_t)
-- selinux_get_enforce_mode($1_t)
++
+ libs_dontaudit_setattr_lib_files($1_usertype)
+
+ init_read_state($1_usertype)
@@ -51717,10 +51698,11 @@ index 9dc60c6..e6556aa 100644
+ ')
+
+ logging_send_syslog_msg($1_t)
-+ logging_dontaudit_send_audit_msgs($1_t)
-+
-+ # Need to to this just so screensaver will work. Should be moved to screensaver domain
-+ selinux_get_enforce_mode($1_t)
+ logging_dontaudit_send_audit_msgs($1_t)
+
+ # Need to to this just so screensaver will work. Should be moved to screensaver domain
+- logging_send_audit_msgs($1_t)
+ selinux_get_enforce_mode($1_t)
+ seutil_exec_restorecond($1_t)
+ seutil_read_file_contexts($1_t)
+ seutil_read_default_contexts($1_t)
@@ -51827,7 +51809,7 @@ index 9dc60c6..e6556aa 100644
')
#######################################
-@@ -987,27 +1353,33 @@ template(`userdom_unpriv_user_template', `
+@@ -987,27 +1358,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -51865,7 +51847,7 @@ index 9dc60c6..e6556aa 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1018,23 +1390,63 @@ template(`userdom_unpriv_user_template', `
+@@ -1018,23 +1395,63 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -51925,21 +51907,21 @@ index 9dc60c6..e6556aa 100644
+ optional_policy(`
+ mount_run_fusermount($1_t, $1_r)
+ mount_read_pid_files($1_t)
++ ')
++
++ optional_policy(`
++ wine_role_template($1, $1_r, $1_t)
')
optional_policy(`
- netutils_run_ping_cond($1_t, $1_r)
- netutils_run_traceroute_cond($1_t, $1_r)
-+ wine_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
')
# Run pppd in pppd_t by default for user
-@@ -1043,7 +1455,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1043,7 +1460,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -51950,7 +51932,7 @@ index 9dc60c6..e6556aa 100644
')
')
-@@ -1079,7 +1493,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1079,7 +1498,9 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -51961,7 +51943,7 @@ index 9dc60c6..e6556aa 100644
')
##############################
-@@ -1095,6 +1511,7 @@ template(`userdom_admin_user_template',`
+@@ -1095,6 +1516,7 @@ template(`userdom_admin_user_template',`
role system_r types $1_t;
typeattribute $1_t admindomain;
@@ -51969,7 +51951,7 @@ index 9dc60c6..e6556aa 100644
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
-@@ -1105,14 +1522,8 @@ template(`userdom_admin_user_template',`
+@@ -1105,14 +1527,8 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
@@ -51986,7 +51968,7 @@ index 9dc60c6..e6556aa 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1128,6 +1539,8 @@ template(`userdom_admin_user_template',`
+@@ -1128,6 +1544,8 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -51995,7 +51977,7 @@ index 9dc60c6..e6556aa 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1145,10 +1558,15 @@ template(`userdom_admin_user_template',`
+@@ -1145,10 +1563,15 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -52011,7 +51993,7 @@ index 9dc60c6..e6556aa 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1159,29 +1577,40 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1582,40 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -52056,7 +52038,7 @@ index 9dc60c6..e6556aa 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1620,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1625,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -52065,7 +52047,7 @@ index 9dc60c6..e6556aa 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1629,21 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1634,21 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -52088,7 +52070,7 @@ index 9dc60c6..e6556aa 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1240,7 +1679,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,7 +1684,7 @@ template(`userdom_admin_user_template',`
##
##
#
@@ -52097,7 +52079,7 @@ index 9dc60c6..e6556aa 100644
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
-@@ -1250,6 +1689,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1694,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -52106,7 +52088,7 @@ index 9dc60c6..e6556aa 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1262,8 +1703,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1708,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -52118,7 +52100,7 @@ index 9dc60c6..e6556aa 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1274,29 +1717,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1722,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -52161,7 +52143,7 @@ index 9dc60c6..e6556aa 100644
')
optional_policy(`
-@@ -1357,14 +1802,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1807,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -52180,7 +52162,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -1397,12 +1845,52 @@ interface(`userdom_user_tmp_file',`
+@@ -1397,12 +1850,52 @@ interface(`userdom_user_tmp_file',`
##
#
interface(`userdom_user_tmpfs_file',`
@@ -52234,7 +52216,7 @@ index 9dc60c6..e6556aa 100644
## Allow domain to attach to TUN devices created by administrative users.
##
##
-@@ -1509,11 +1997,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +2002,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -52266,7 +52248,7 @@ index 9dc60c6..e6556aa 100644
## Do not audit attempts to search user home directories.
##
##
-@@ -1555,6 +2063,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2068,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -52281,7 +52263,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -1570,9 +2086,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2091,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -52293,7 +52275,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -1613,6 +2131,24 @@ interface(`userdom_manage_user_home_dirs',`
+@@ -1613,6 +2136,24 @@ interface(`userdom_manage_user_home_dirs',`
########################################
##
@@ -52318,7 +52300,7 @@ index 9dc60c6..e6556aa 100644
## Relabel to user home directories.
##
##
-@@ -1631,6 +2167,59 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1631,6 +2172,59 @@ interface(`userdom_relabelto_user_home_dirs',`
########################################
##
@@ -52378,7 +52360,7 @@ index 9dc60c6..e6556aa 100644
## Create directories in the home dir root with
## the user home directory type.
##
-@@ -1704,10 +2293,12 @@ interface(`userdom_user_home_domtrans',`
+@@ -1704,10 +2298,12 @@ interface(`userdom_user_home_domtrans',`
#
interface(`userdom_dontaudit_search_user_home_content',`
gen_require(`
@@ -52393,7 +52375,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -1741,10 +2332,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2337,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -52408,7 +52390,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -1769,7 +2362,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2367,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
##
@@ -52417,7 +52399,7 @@ index 9dc60c6..e6556aa 100644
##
##
##
-@@ -1777,19 +2370,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1777,19 +2375,17 @@ interface(`userdom_manage_user_home_content_dirs',`
##
##
#
@@ -52441,7 +52423,7 @@ index 9dc60c6..e6556aa 100644
##
##
##
-@@ -1797,55 +2388,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1797,55 +2393,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
##
##
#
@@ -52512,7 +52494,7 @@ index 9dc60c6..e6556aa 100644
##
##
##
-@@ -1853,18 +2444,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1853,18 +2449,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
##
##
#
@@ -52540,7 +52522,7 @@ index 9dc60c6..e6556aa 100644
##
##
##
-@@ -1872,17 +2464,167 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1872,18 +2469,71 @@ interface(`userdom_mmap_user_home_content_files',`
##
##
#
@@ -52548,13 +52530,17 @@ index 9dc60c6..e6556aa 100644
- gen_require(`
- type user_home_dir_t, user_home_t;
- ')
+-
+- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+- files_search_home($1)
+interface(`usedom_dontaudit_user_getattr_tmp_sockets',`
+ refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.')
+ userdom_getattr_user_tmp_files($1)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to read user home files.
+## Dontaudit getattr on user tmp sockets.
+##
+##
@@ -52613,22 +52599,24 @@ index 9dc60c6..e6556aa 100644
+##
+## Do not audit attempts to set the
+## attributes of user home files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -1891,13 +2541,113 @@ interface(`userdom_read_user_home_content_files',`
+ ##
+ ##
+ #
+-interface(`userdom_dontaudit_read_user_home_content_files',`
+interface(`userdom_dontaudit_setattr_user_home_content_files',`
-+ gen_require(`
-+ type user_home_t;
-+ ')
-+
+ gen_require(`
+ type user_home_t;
+ ')
+
+- dontaudit $1 user_home_t:dir list_dir_perms;
+- dontaudit $1 user_home_t:file read_file_perms;
+ dontaudit $1 user_home_t:file setattr_file_perms;
+')
-
-- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
++
+########################################
+##
+## Set the attributes of all user home directories.
@@ -52664,11 +52652,11 @@ index 9dc60c6..e6556aa 100644
+ ')
+
+ mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
- files_search_home($1)
- ')
-
- ########################################
- ##
++ files_search_home($1)
++')
++
++########################################
++##
+## Read user home files.
+##
+##
@@ -52710,20 +52698,20 @@ index 9dc60c6..e6556aa 100644
+
+########################################
+##
- ## Do not audit attempts to read user home files.
- ##
- ##
-@@ -1893,11 +2635,14 @@ interface(`userdom_read_user_home_content_files',`
- #
- interface(`userdom_dontaudit_read_user_home_content_files',`
- gen_require(`
-- type user_home_t;
++## Do not audit attempts to read user home files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_read_user_home_content_files',`
++ gen_require(`
+ attribute user_home_type;
+ type user_home_dir_t;
- ')
-
-- dontaudit $1 user_home_t:dir list_dir_perms;
-- dontaudit $1 user_home_t:file read_file_perms;
++ ')
++
+ dontaudit $1 user_home_dir_t:dir list_dir_perms;
+ dontaudit $1 user_home_type:dir list_dir_perms;
+ dontaudit $1 user_home_type:file read_file_perms;
@@ -52731,7 +52719,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -1938,7 +2683,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1938,7 +2688,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
##
@@ -52740,7 +52728,7 @@ index 9dc60c6..e6556aa 100644
##
##
##
-@@ -1946,10 +2691,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2696,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
##
##
#
@@ -52753,7 +52741,7 @@ index 9dc60c6..e6556aa 100644
')
userdom_search_user_home_content($1)
-@@ -1958,7 +2702,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2707,7 @@ interface(`userdom_delete_all_user_home_content_files',`
########################################
##
@@ -52762,7 +52750,7 @@ index 9dc60c6..e6556aa 100644
##
##
##
-@@ -1966,12 +2710,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2715,66 @@ interface(`userdom_delete_all_user_home_content_files',`
##
##
#
@@ -52831,7 +52819,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -2007,8 +2805,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2810,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -52841,7 +52829,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -2024,21 +2821,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2826,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -52855,19 +52843,18 @@ index 9dc60c6..e6556aa 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
-
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
-- ')
-')
--
+
########################################
##
- ## Do not audit attempts to execute user home files.
-@@ -2120,7 +2911,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2916,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
##
@@ -52876,7 +52863,7 @@ index 9dc60c6..e6556aa 100644
##
##
##
-@@ -2128,19 +2919,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2924,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
##
##
#
@@ -52900,7 +52887,7 @@ index 9dc60c6..e6556aa 100644
##
##
##
-@@ -2148,12 +2937,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2942,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
##
##
#
@@ -52916,7 +52903,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -2388,18 +3177,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2388,18 +3182,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
##
##
#
@@ -52974,7 +52961,7 @@ index 9dc60c6..e6556aa 100644
## Do not audit attempts to read users
## temporary files.
##
-@@ -2414,7 +3239,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3244,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -52983,7 +52970,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -2455,6 +3280,25 @@ interface(`userdom_rw_user_tmp_files',`
+@@ -2455,6 +3285,25 @@ interface(`userdom_rw_user_tmp_files',`
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
@@ -53009,34 +52996,12 @@ index 9dc60c6..e6556aa 100644
########################################
##
-@@ -2538,7 +3382,7 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,7 +3387,27 @@ interface(`userdom_manage_user_tmp_files',`
########################################
##
## Create, read, write, and delete user
-## temporary symbolic links.
+## temporary files.
- ##
- ##
- ##
-@@ -2546,18 +3390,59 @@ interface(`userdom_manage_user_tmp_files',`
- ##
- ##
- #
--interface(`userdom_manage_user_tmp_symlinks',`
-+interface(`userdom_filetrans_named_user_tmp_files',`
- gen_require(`
- type user_tmp_t;
- ')
-
-- manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
-+ files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root")
- files_search_tmp($1)
- ')
-
- ########################################
- ##
- ## Create, read, write, and delete user
-+## temporary symbolic links.
+##
+##
+##
@@ -53044,26 +53009,26 @@ index 9dc60c6..e6556aa 100644
+##
+##
+#
-+interface(`userdom_manage_user_tmp_symlinks',`
++interface(`userdom_filetrans_named_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
-+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
++ files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root")
+ files_search_tmp($1)
+')
+
+########################################
+##
+## Create, read, write, and delete user
-+## temporary named pipes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
++## temporary symbolic links.
+ ##
+ ##
+ ##
+@@ -2566,6 +3435,27 @@ interface(`userdom_manage_user_tmp_symlinks',`
+ ##
+ ##
+ #
+interface(`userdom_rw_inherited_user_tmp_pipes',`
+ gen_require(`
+ type user_tmp_t;
@@ -53077,10 +53042,18 @@ index 9dc60c6..e6556aa 100644
+########################################
+##
+## Create, read, write, and delete user
- ## temporary named pipes.
- ##
- ##
-@@ -2661,6 +3546,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
++## temporary named pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+ interface(`userdom_manage_user_tmp_pipes',`
+ gen_require(`
+ type user_tmp_t;
+@@ -2661,6 +3551,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -53102,7 +53075,7 @@ index 9dc60c6..e6556aa 100644
########################################
##
## Read user tmpfs files.
-@@ -2672,18 +3572,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2672,18 +3577,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
##
#
interface(`userdom_read_user_tmpfs_files',`
@@ -53124,7 +53097,7 @@ index 9dc60c6..e6556aa 100644
##
##
##
-@@ -2692,19 +3587,13 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3592,13 @@ interface(`userdom_read_user_tmpfs_files',`
##
#
interface(`userdom_rw_user_tmpfs_files',`
@@ -53147,7 +53120,7 @@ index 9dc60c6..e6556aa 100644
##
##
##
-@@ -2713,13 +3602,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2713,13 +3607,56 @@ interface(`userdom_rw_user_tmpfs_files',`
##
#
interface(`userdom_manage_user_tmpfs_files',`
@@ -53208,7 +53181,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -2814,6 +3746,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3751,24 @@ interface(`userdom_use_user_ttys',`
########################################
##
@@ -53233,7 +53206,7 @@ index 9dc60c6..e6556aa 100644
## Read and write a user domain pty.
##
##
-@@ -2832,22 +3782,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3787,34 @@ interface(`userdom_use_user_ptys',`
########################################
##
@@ -53276,7 +53249,7 @@ index 9dc60c6..e6556aa 100644
##
##
##
-@@ -2856,14 +3818,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3823,33 @@ interface(`userdom_use_user_ptys',`
##
##
#
@@ -53314,7 +53287,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -2882,8 +3863,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3868,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -53344,7 +53317,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -2955,6 +3955,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,6 +3960,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -53387,7 +53360,7 @@ index 9dc60c6..e6556aa 100644
########################################
##
## Execute an Xserver session in all unprivileged user domains. This
-@@ -2978,24 +4014,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2978,24 +4019,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -53412,7 +53385,7 @@ index 9dc60c6..e6556aa 100644
########################################
##
## Manage unpriviledged user SysV sempaphores.
-@@ -3014,9 +4032,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3014,9 +4037,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
allow $1 unpriv_userdomain:sem create_sem_perms;
')
@@ -53424,7 +53397,7 @@ index 9dc60c6..e6556aa 100644
## memory segments.
##
##
-@@ -3025,17 +4043,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,17 +4048,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
##
##
#
@@ -53445,7 +53418,7 @@ index 9dc60c6..e6556aa 100644
## memory segments.
##
##
-@@ -3044,12 +4062,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
+@@ -3044,12 +4067,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
##
##
#
@@ -53460,7 +53433,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -3094,7 +4112,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4117,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -53469,7 +53442,7 @@ index 9dc60c6..e6556aa 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3110,29 +4128,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4133,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -53503,7 +53476,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -3214,7 +4216,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4221,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -53530,7 +53503,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -3269,12 +4289,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4294,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -53546,7 +53519,7 @@ index 9dc60c6..e6556aa 100644
##
##
##
-@@ -3282,54 +4303,56 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,54 +4308,56 @@ interface(`userdom_write_user_tmp_files',`
##
##
#
@@ -53618,7 +53591,7 @@ index 9dc60c6..e6556aa 100644
##
##
##
-@@ -3337,12 +4360,86 @@ interface(`userdom_getattr_all_users',`
+@@ -3337,17 +4365,91 @@ interface(`userdom_getattr_all_users',`
##
##
#
@@ -53630,10 +53603,11 @@ index 9dc60c6..e6556aa 100644
- allow $1 userdomain:fd use;
+ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to inherit the file
+## Do not audit attempts to use user ttys.
+##
+##
@@ -53704,10 +53678,15 @@ index 9dc60c6..e6556aa 100644
+ ')
+
+ allow $1 userdomain:fd use;
- ')
-
- ########################################
-@@ -3382,6 +4479,42 @@ interface(`userdom_signal_all_users',`
++')
++
++########################################
++##
++## Do not audit attempts to inherit the file
+ ## descriptors from any user domains.
+ ##
+ ##
+@@ -3382,6 +4484,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -53750,7 +53729,7 @@ index 9dc60c6..e6556aa 100644
########################################
##
## Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4535,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4540,60 @@ interface(`userdom_sigchld_all_users',`
########################################
##
@@ -53811,7 +53790,7 @@ index 9dc60c6..e6556aa 100644
## Create keys for all user domains.
##
##
-@@ -3435,4 +4622,1781 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4627,1781 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index fb9b995..0203074 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -32032,10 +32032,10 @@ index 0000000..764ae00
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..33654d5
+index 0000000..c31e40e
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,297 @@
+@@ -0,0 +1,302 @@
+policy_module(glusterd, 1.1.3)
+
+##
@@ -32100,7 +32100,7 @@ index 0000000..33654d5
+allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod net_raw };
+
+allow glusterd_t self:capability2 block_suspend;
-+allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched };
++allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched setfscreate};
+allow glusterd_t self:sem create_sem_perms;
+allow glusterd_t self:fifo_file rw_fifo_file_perms;
+allow glusterd_t self:tcp_socket { accept listen };
@@ -32284,6 +32284,11 @@ index 0000000..33654d5
+ hostname_exec(glusterd_t)
+')
+
++
++optional_policy(`
++ kerberos_read_keytab(glusterd_t)
++')
++
+optional_policy(`
+ lvm_domtrans(glusterd_t)
+')
@@ -37023,6 +37028,166 @@ index 0000000..28816b4
+auth_use_nsswitch(hsqldb_t)
+
+sysnet_read_config(hsqldb_t)
+diff --git a/hwloc.fc b/hwloc.fc
+new file mode 100644
+index 0000000..d0c5a15
+--- /dev/null
++++ b/hwloc.fc
+@@ -0,0 +1,5 @@
++/usr/sbin/hwloc-dump-hwdata -- gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0)
++
++/usr/lib/systemd/system/hwloc-dump-hwdata.* -- gen_context(system_u:object_r:hwloc_dhwd_unit_t,s0)
++
++/var/run/hwloc(/.*)? gen_context(system_u:object_r:hwloc_var_run_t,s0)
+diff --git a/hwloc.if b/hwloc.if
+new file mode 100644
+index 0000000..c2349ec
+--- /dev/null
++++ b/hwloc.if
+@@ -0,0 +1,106 @@
++## Dump topology and locality information from hardware tables.
++
++########################################
++##
++## Execute hwloc dhwd in the hwloc dhwd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`hwloc_domtrans_dhwd',`
++ gen_require(`
++ type hwloc_dhwd_t, hwloc_dhwd_exec_t;
++ ')
++
++ domtrans_pattern($1, hwloc_dhwd_exec_t, hwloc_dhwd_t)
++')
++
++########################################
++##
++## Execute hwloc dhwd in the hwloc dhwd domain, and
++## allow the specified role the hwloc dhwd domain,
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`hwloc_run_dhwd',`
++ gen_require(`
++ attribute_role hwloc_dhwd_roles;
++ ')
++
++ hwloc_domtrans_dhwd($1)
++ roleattribute $2 hwloc_dhwd_roles;
++')
++
++########################################
++##
++## Execute hwloc dhwd in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`hwloc_exec_dhwd',`
++ gen_require(`
++ type hwloc_dhwd_exec_t;
++ ')
++
++ can_exec($1, hwloc_dhwd_exec_t)
++')
++
++########################################
++##
++## Read hwloc runtime files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`hwloc_read_runtime_files',`
++ gen_require(`
++ type hwloc_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, hwloc_var_run_t, hwloc_var_run_t)
++')
++
++########################################
++##
++## All of the rules required to
++## administrate an hwloc environment.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`hwloc_admin',`
++ gen_require(`
++ type hwloc_dhwd_t, hwloc_var_run_t;
++ ')
++
++ allow $1 hwloc_dhwd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, hwloc_dhwd_t)
++
++ admin_pattern($1, hwloc_var_run_t)
++ files_pid_filetrans($1, hwloc_var_run_t, dir, "hwloc")
++')
+diff --git a/hwloc.te b/hwloc.te
+new file mode 100644
+index 0000000..0f45fd5
+--- /dev/null
++++ b/hwloc.te
+@@ -0,0 +1,31 @@
++policy_module(hwloc, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute_role hwloc_dhwd_roles;
++roleattribute system_r hwloc_dhwd_roles;
++
++type hwloc_dhwd_t;
++type hwloc_dhwd_exec_t;
++init_system_domain(hwloc_dhwd_t, hwloc_dhwd_exec_t)
++role hwloc_dhwd_roles types hwloc_dhwd_t;
++
++type hwloc_var_run_t;
++files_pid_file(hwloc_var_run_t)
++
++type hwloc_dhwd_unit_t;
++systemd_unit_file(hwloc_dhwd_unit_t)
++
++########################################
++#
++# Local policy
++#
++
++allow hwloc_dhwd_t hwloc_var_run_t:dir manage_dir_perms;
++allow hwloc_dhwd_t hwloc_var_run_t:file manage_file_perms;
++files_pid_filetrans(hwloc_dhwd_t, hwloc_var_run_t, dir)
++
++dev_read_sysfs(hwloc_dhwd_t)
diff --git a/hypervkvp.fc b/hypervkvp.fc
index b46130e..e2ae3b2 100644
--- a/hypervkvp.fc
@@ -48068,7 +48233,7 @@ index 0000000..8bc27f4
+domain_use_interactive_fds(mcollective_t)
+
diff --git a/mediawiki.fc b/mediawiki.fc
-index 99f7c41..93ec6db 100644
+index 99f7c41..1745603 100644
--- a/mediawiki.fc
+++ b/mediawiki.fc
@@ -1,8 +1,8 @@
@@ -48080,12 +48245,12 @@ index 99f7c41..93ec6db 100644
+/usr/lib/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:mediawiki_script_exec_t,s0)
-/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
-+/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:mediawiki_content_t,s0)
++/usr/share/mediawiki[0-9]?(/.*)? gen_context(system_u:object_r:mediawiki_content_t,s0)
-/var/www/wiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0)
-/var/www/wiki/.*\.php -- gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
-+/var/www/wiki(/.*)? gen_context(system_u:object_r:mediawiki_rw_content_t,s0)
-+/var/www/wiki/.*\.php -- gen_context(system_u:object_r:mediawiki_content_t,s0)
++/var/www/wiki[0-9]?(/.*)? gen_context(system_u:object_r:mediawiki_rw_content_t,s0)
++/var/www/wiki[0-9]?\.php -- gen_context(system_u:object_r:mediawiki_content_t,s0)
diff --git a/mediawiki.if b/mediawiki.if
index 9771b4b..9b183e6 100644
--- a/mediawiki.if
@@ -85688,10 +85853,10 @@ index c8a1e16..2d409bf 100644
xen_domtrans_xm(rgmanager_t)
')
diff --git a/rhcs.fc b/rhcs.fc
-index 47de2d6..dfb3396 100644
+index 47de2d6..bc62d96 100644
--- a/rhcs.fc
+++ b/rhcs.fc
-@@ -1,31 +1,95 @@
+@@ -1,31 +1,96 @@
-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@@ -85782,6 +85947,7 @@ index 47de2d6..dfb3396 100644
+/usr/share/corosync/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0)
+
+/usr/share/cluster/fence_scsi_check\.pl -- gen_context(system_u:object_r:fenced_exec_t,s0)
++/usr/share/cluster/fence_scsi_check_hardreboot -- gen_context(system_u:object_r:fenced_exec_t,s0)
+
+/usr/lib/pcsd/pcsd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+
@@ -86679,7 +86845,7 @@ index c8bdea2..1574225 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..1a605f9 100644
+index 6cf79c4..943fd8b 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -87047,7 +87213,7 @@ index 6cf79c4..1a605f9 100644
-allow fenced_t self:process { getsched signal_perms };
-allow fenced_t self:tcp_socket { accept listen };
+allow fenced_t self:capability { net_admin sys_rawio sys_resource sys_admin };
-+allow fenced_t self:process { getsched setpgid signal_perms };
++allow fenced_t self:process { getsched setcap setpgid signal_perms };
+
+allow fenced_t self:tcp_socket create_stream_socket_perms;
+allow fenced_t self:udp_socket create_socket_perms;
@@ -107668,7 +107834,7 @@ index 97cd155..49321a5 100644
fs_search_auto_mountpoints(timidity_t)
diff --git a/tmpreaper.te b/tmpreaper.te
-index 585a77f..948bc5b 100644
+index 585a77f..a7cb326 100644
--- a/tmpreaper.te
+++ b/tmpreaper.te
@@ -5,9 +5,34 @@ policy_module(tmpreaper, 1.7.1)
@@ -107714,7 +107880,7 @@ index 585a77f..948bc5b 100644
dev_read_urand(tmpreaper_t)
-@@ -27,15 +53,19 @@ corecmd_exec_shell(tmpreaper_t)
+@@ -27,15 +53,16 @@ corecmd_exec_shell(tmpreaper_t)
fs_getattr_xattr_fs(tmpreaper_t)
fs_list_all(tmpreaper_t)
@@ -107725,11 +107891,9 @@ index 585a77f..948bc5b 100644
-files_getattr_all_files(tmpreaper_t)
files_read_var_lib_files(tmpreaper_t)
files_purge_tmp(tmpreaper_t)
+-files_setattr_all_tmp_dirs(tmpreaper_t)
+files_delete_all_non_security_files(tmpreaper_t)
-+# why does it need setattr?
- files_setattr_all_tmp_dirs(tmpreaper_t)
-+files_setattr_isid_type_dirs(tmpreaper_t)
-+files_setattr_usr_dirs(tmpreaper_t)
++files_setattr_non_security_dirs(tmpreaper_t)
+files_getattr_all_dirs(tmpreaper_t)
+files_getattr_all_files(tmpreaper_t)
@@ -107738,7 +107902,7 @@ index 585a77f..948bc5b 100644
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
-@@ -45,7 +75,6 @@ init_use_inherited_script_ptys(tmpreaper_t)
+@@ -45,7 +72,6 @@ init_use_inherited_script_ptys(tmpreaper_t)
logging_send_syslog_msg(tmpreaper_t)
@@ -107746,7 +107910,7 @@ index 585a77f..948bc5b 100644
miscfiles_delete_man_pages(tmpreaper_t)
ifdef(`distro_debian',`
-@@ -53,10 +82,33 @@ ifdef(`distro_debian',`
+@@ -53,10 +79,33 @@ ifdef(`distro_debian',`
')
ifdef(`distro_redhat',`
@@ -107781,7 +107945,7 @@ index 585a77f..948bc5b 100644
')
optional_policy(`
-@@ -64,6 +116,7 @@ optional_policy(`
+@@ -64,6 +113,7 @@ optional_policy(`
')
optional_policy(`
@@ -107789,7 +107953,7 @@ index 585a77f..948bc5b 100644
apache_list_cache(tmpreaper_t)
apache_delete_cache_dirs(tmpreaper_t)
apache_delete_cache_files(tmpreaper_t)
-@@ -79,7 +132,19 @@ optional_policy(`
+@@ -79,7 +129,19 @@ optional_policy(`
')
optional_policy(`
@@ -107810,7 +107974,7 @@ index 585a77f..948bc5b 100644
')
optional_policy(`
-@@ -89,3 +154,8 @@ optional_policy(`
+@@ -89,3 +151,8 @@ optional_policy(`
optional_policy(`
rpm_manage_cache(tmpreaper_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 00c614a..12b5672 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 194%{?dist}
+Release: 195%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -647,6 +647,17 @@ exit 0
%endif
%changelog
+* Thu Jun 08 2016 Lukas Vrabec 3.13.1-195
+- Add hwloc-dump-hwdata SELinux policy
+- Add labels for mediawiki123
+- Fix label for all fence_scsi_check scripts
+- Allow setcap for fenced
+- Allow glusterd domain read krb5_keytab_t files.
+- Allow tmpreaper_t to read/setattr all non_security_file_type dirs
+- Update refpolicy to handle hwloc
+- Fix typo in files_setattr_non_security_dirs.
+- Add interface files_setattr_non_security_dirs()
+
* Tue Jun 07 2016 Lukas Vrabec 3.13.1-194
- Allow boinc to use dri devices. This allows use Boinc for a openCL GPU calculations. BZ(1340886)
- Add nrpe_dontaudit_write_pipes()