diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 4987b60..b4f3b28 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5410,7 +5410,7 @@ index 8e0f9cd..b9f45b9 100644
  
  define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..b60c687 100644
+index b191055..b64c141 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5484,7 +5484,7 @@ index b191055..b60c687 100644
  # reserved_port_t is the type of INET port numbers below 1024.
  #
  type reserved_port_t, port_type, reserved_port_type;
-@@ -84,10 +107,10 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
+@@ -84,55 +107,66 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
  network_port(amavisd_recv, tcp,10024,s0)
  network_port(amavisd_send, tcp,10025,s0)
  network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
@@ -5497,7 +5497,9 @@ index b191055..b60c687 100644
  network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
  network_port(audit, tcp,60,s0)
  network_port(auth, tcp,113,s0)
-@@ -96,43 +119,53 @@ network_port(boinc, tcp,31416,s0)
++network_port(bacula, tcp,9103,s0, udp,9103,s0)
+ network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
+ network_port(boinc, tcp,31416,s0)
  network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
  network_port(biff) # no defined portcon
  network_port(certmaster, tcp,51235,s0)
@@ -5556,7 +5558,7 @@ index b191055..b60c687 100644
  network_port(gopher, tcp,70,s0, udp,70,s0)
  network_port(gpsd, tcp,2947,s0)
  network_port(hadoop_datanode, tcp,50010,s0)
-@@ -140,45 +173,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -140,45 +174,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
  network_port(hddtemp, tcp,7634,s0)
  network_port(howl, tcp,5335,s0, udp,5353,s0)
  network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5623,7 +5625,7 @@ index b191055..b60c687 100644
  network_port(msnp, tcp,1863,s0, udp,1863,s0)
  network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
  network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,26 +226,35 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,26 +227,35 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
  network_port(mxi, tcp,8005,s0, udp,8005,s0)
  network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
  network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5663,7 +5665,7 @@ index b191055..b60c687 100644
  network_port(portmap, udp,111,s0, tcp,111,s0)
  network_port(postfix_policyd, tcp,10031,s0)
  network_port(postgresql, tcp,5432,s0)
-@@ -215,39 +264,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -215,39 +265,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
  network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
  network_port(printer, tcp,515,s0)
  network_port(ptal, tcp,5703,s0)
@@ -5716,7 +5718,7 @@ index b191055..b60c687 100644
  network_port(ssh, tcp,22,s0)
  network_port(stunnel) # no defined portcon
  network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -259,8 +314,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -259,8 +315,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
  network_port(tcs, tcp, 30003, s0)
  network_port(telnetd, tcp,23,s0)
  network_port(tftp, udp,69,s0)
@@ -5727,7 +5729,7 @@ index b191055..b60c687 100644
  network_port(transproxy, tcp,8081,s0)
  network_port(trisoap, tcp,10200,s0, udp,10200,s0)
  network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0)
-@@ -271,10 +327,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -271,10 +328,10 @@ network_port(varnishd, tcp,6081-6082,s0)
  network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
  network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
  network_port(virt_migration, tcp,49152-49216,s0)
@@ -5740,7 +5742,7 @@ index b191055..b60c687 100644
  network_port(winshadow, tcp,3161,s0, udp,3261,s0)
  network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
  network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -288,19 +344,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +345,23 @@ network_port(zabbix_agent, tcp,10050,s0)
  network_port(zookeeper_client, tcp,2181,s0)
  network_port(zookeeper_election, tcp,3888,s0)
  network_port(zookeeper_leader, tcp,2888,s0)
@@ -5767,7 +5769,7 @@ index b191055..b60c687 100644
  
  ########################################
  #
-@@ -333,6 +393,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +394,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
  
  build_option(`enable_mls',`
  network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5776,7 +5778,7 @@ index b191055..b60c687 100644
  ',`
  typealias netif_t alias { lo_netif_t netif_lo_t };
  ')
-@@ -345,9 +407,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +408,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
  allow corenet_unconfined_type node_type:node *;
  allow corenet_unconfined_type netif_type:netif *;
  allow corenet_unconfined_type packet_type:packet *;
@@ -24233,7 +24235,7 @@ index 6bf0ecc..115c533 100644
 +	dontaudit $1 xserver_log_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..39c8bbb 100644
+index 8b40377..787bc72 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,28 +26,59 @@ gen_require(`
@@ -24572,13 +24574,13 @@ index 8b40377..39c8bbb 100644
 +ifdef(`hide_broken_symptoms',`
 +	term_dontaudit_use_unallocated_ttys(xauth_t)
 +	dev_dontaudit_rw_dri(xauth_t)
-+')
-+
-+optional_policy(`
-+	nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
  ')
  
  optional_policy(`
++	nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
++')
++
++optional_policy(`
 +	ssh_use_ptys(xauth_t)
  	ssh_sigchld(xauth_t)
  	ssh_read_pipes(xauth_t)
@@ -24613,8 +24615,7 @@ index 8b40377..39c8bbb 100644
 +allow xdm_t self:dbus { send_msg acquire_svc };
 +
 +allow xdm_t xauth_home_t:file manage_file_perms;
- 
--allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
++
 +allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
 +manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
 +manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
@@ -24623,7 +24624,8 @@ index 8b40377..39c8bbb 100644
 +manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
 +xserver_filetrans_home_content(xdm_t)
 +xserver_filetrans_admin_home_content(xdm_t)
-+
+ 
+-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
 +#Handle mislabeled files in homedir
 +userdom_delete_user_home_content_files(xdm_t)
 +userdom_signull_unpriv_users(xdm_t)
@@ -24880,7 +24882,7 @@ index 8b40377..39c8bbb 100644
 +
 +#userdom_home_manager(xdm_t)
 +tunable_policy(`xdm_write_home',`
-+    userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file)
++    userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file })
 +',`
 +    userdom_user_home_dir_filetrans_user_home_content(xdm_t, { dir file lnk_file fifo_file sock_file })
 +')
@@ -25071,13 +25073,13 @@ index 8b40377..39c8bbb 100644
 +	optional_policy(`
 +		hal_dbus_chat(xdm_t)
 +	')
-+
-+	optional_policy(`
-+		gnomeclock_dbus_chat(xdm_t)
-+	')
  
  	optional_policy(`
 -		accountsd_dbus_chat(xdm_t)
++		gnomeclock_dbus_chat(xdm_t)
++	')
++
++	optional_policy(`
 +		networkmanager_dbus_chat(xdm_t)
  	')
  ')
@@ -25324,13 +25326,10 @@ index 8b40377..39c8bbb 100644
  
  # brought on by rhgb
  files_search_mnt(xserver_t)
-@@ -704,7 +1179,16 @@ fs_getattr_xattr_fs(xserver_t)
- fs_search_nfs(xserver_t)
+@@ -705,6 +1180,14 @@ fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
--
-+fs_rw_tmpfs_files(xserver_t)
-+
+ 
 +mls_file_read_to_clearance(xserver_t)
 +mls_file_write_all_levels(xserver_t)
 +mls_file_upgrade(xserver_t)
@@ -25342,7 +25341,7 @@ index 8b40377..39c8bbb 100644
  mls_xwin_read_to_clearance(xserver_t)
  
  selinux_validate_context(xserver_t)
-@@ -718,20 +1202,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1201,18 @@ init_getpgid(xserver_t)
  term_setattr_unallocated_ttys(xserver_t)
  term_use_unallocated_ttys(xserver_t)
  
@@ -25366,7 +25365,7 @@ index 8b40377..39c8bbb 100644
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1221,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1220,6 @@ userdom_setattr_user_ttys(xserver_t)
  userdom_read_user_tmp_files(xserver_t)
  userdom_rw_user_tmpfs_files(xserver_t)
  
@@ -25375,7 +25374,7 @@ index 8b40377..39c8bbb 100644
  ifndef(`distro_redhat',`
  	allow xserver_t self:process { execmem execheap execstack };
  	domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1265,44 @@ optional_policy(`
+@@ -785,17 +1264,44 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25422,7 +25421,7 @@ index 8b40377..39c8bbb 100644
  ')
  
  optional_policy(`
-@@ -803,6 +1310,10 @@ optional_policy(`
+@@ -803,6 +1309,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25433,7 +25432,7 @@ index 8b40377..39c8bbb 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -818,10 +1329,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,10 +1328,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -25447,7 +25446,7 @@ index 8b40377..39c8bbb 100644
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -829,7 +1340,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -829,7 +1339,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  
  # Run xkbcomp.
@@ -25456,7 +25455,7 @@ index 8b40377..39c8bbb 100644
  can_exec(xserver_t, xkb_var_lib_t)
  
  # VNC v4 module in X server
-@@ -842,26 +1353,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1352,21 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -25491,7 +25490,7 @@ index 8b40377..39c8bbb 100644
  ')
  
  optional_policy(`
-@@ -912,7 +1418,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1417,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
  allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -25500,7 +25499,7 @@ index 8b40377..39c8bbb 100644
  # operations allowed on all windows
  allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
  
-@@ -966,11 +1472,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1471,31 @@ allow x_domain self:x_resource { read write };
  # can mess with the screensaver
  allow x_domain xserver_t:x_screen { getattr saver_getattr };
  
@@ -25532,7 +25531,7 @@ index 8b40377..39c8bbb 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -992,18 +1518,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1517,150 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
@@ -27421,10 +27420,10 @@ index 016a770..1effeb4 100644
 +	files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
 +')
 diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index 3f48d30..3701405 100644
+index 3f48d30..90a20cf 100644
 --- a/policy/modules/system/fstools.te
 +++ b/policy/modules/system/fstools.te
-@@ -13,6 +13,9 @@ role system_r types fsadm_t;
+@@ -13,9 +13,15 @@ role system_r types fsadm_t;
  type fsadm_log_t;
  logging_log_file(fsadm_log_t)
  
@@ -27434,23 +27433,37 @@ index 3f48d30..3701405 100644
  type fsadm_tmp_t;
  files_tmp_file(fsadm_tmp_t)
  
-@@ -41,9 +44,15 @@ allow fsadm_t self:msg { send receive };
++type fsadm_tmpfs_t;
++files_tmpfs_file(fsadm_tmpfs_t)
++
+ type swapfile_t; # customizable
+ files_type(swapfile_t)
+ 
+@@ -41,10 +47,21 @@ allow fsadm_t self:msg { send receive };
  
  can_exec(fsadm_t, fsadm_exec_t)
  
+-allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
+-allow fsadm_t fsadm_tmp_t:file manage_file_perms;
 +manage_dirs_pattern(fsadm_t, fsadm_var_run_t, fsadm_var_run_t)
 +manage_files_pattern(fsadm_t, fsadm_var_run_t, fsadm_var_run_t)
 +files_pid_filetrans(fsadm_t, fsadm_var_run_t, {dir file })
 +
- allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
- allow fsadm_t fsadm_tmp_t:file manage_file_perms;
++manage_dirs_pattern(fsadm_t, fsadm_tmp_t, fsadm_tmp_t)
++manage_files_pattern(fsadm_t, fsadm_tmp_t, fsadm_tmp_t)
  files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
+ 
++manage_dirs_pattern(fsadm_t, fsadm_tmpfs_t, fsadm_tmpfs_t)
++manage_files_pattern(fsadm_t, fsadm_tmpfs_t, fsadm_tmpfs_t)
++fs_tmpfs_filetrans(fsadm_t, fsadm_tmpfs_t, { file dir })
++
 +files_create_boot_flag(fsadm_t)
 +files_setattr_root_dirs(fsadm_t)
- 
++
  # log files
  allow fsadm_t fsadm_log_t:dir setattr;
-@@ -53,6 +62,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
+ manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
+@@ -53,6 +70,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
  # Enable swapping to files
  allow fsadm_t swapfile_t:file { rw_file_perms swapon };
  
@@ -27458,7 +27471,7 @@ index 3f48d30..3701405 100644
  kernel_read_system_state(fsadm_t)
  kernel_read_kernel_sysctls(fsadm_t)
  kernel_request_load_module(fsadm_t)
-@@ -101,6 +111,8 @@ files_read_usr_files(fsadm_t)
+@@ -101,6 +119,8 @@ files_read_usr_files(fsadm_t)
  files_read_etc_files(fsadm_t)
  files_manage_lost_found(fsadm_t)
  files_manage_isid_type_dirs(fsadm_t)
@@ -27467,7 +27480,15 @@ index 3f48d30..3701405 100644
  # Write to /etc/mtab.
  files_manage_etc_runtime_files(fsadm_t)
  files_etc_filetrans_etc_runtime(fsadm_t, file)
-@@ -120,6 +132,9 @@ fs_list_auto_mountpoints(fsadm_t)
+@@ -112,7 +132,6 @@ files_read_isid_type_files(fsadm_t)
+ fs_search_auto_mountpoints(fsadm_t)
+ fs_getattr_xattr_fs(fsadm_t)
+ fs_rw_ramfs_pipes(fsadm_t)
+-fs_rw_tmpfs_files(fsadm_t)
+ # remount file system to apply changes
+ fs_remount_xattr_fs(fsadm_t)
+ # for /dev/shm
+@@ -120,6 +139,9 @@ fs_list_auto_mountpoints(fsadm_t)
  fs_search_tmpfs(fsadm_t)
  fs_getattr_tmpfs_dirs(fsadm_t)
  fs_read_tmpfs_symlinks(fsadm_t)
@@ -27477,7 +27498,7 @@ index 3f48d30..3701405 100644
  # Recreate /mnt/cdrom.
  files_manage_mnt_dirs(fsadm_t)
  # for tune2fs
-@@ -133,21 +148,27 @@ storage_raw_write_fixed_disk(fsadm_t)
+@@ -133,21 +155,27 @@ storage_raw_write_fixed_disk(fsadm_t)
  storage_raw_read_removable_device(fsadm_t)
  storage_raw_write_removable_device(fsadm_t)
  storage_read_scsi_generic(fsadm_t)
@@ -27507,7 +27528,7 @@ index 3f48d30..3701405 100644
  
  ifdef(`distro_redhat',`
  	optional_policy(`
-@@ -166,6 +187,11 @@ optional_policy(`
+@@ -166,6 +194,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -27519,7 +27540,7 @@ index 3f48d30..3701405 100644
  	hal_dontaudit_write_log(fsadm_t)
  ')
  
-@@ -179,6 +205,10 @@ optional_policy(`
+@@ -179,6 +212,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -27530,7 +27551,7 @@ index 3f48d30..3701405 100644
  	nis_use_ypbind(fsadm_t)
  ')
  
-@@ -192,6 +222,10 @@ optional_policy(`
+@@ -192,6 +229,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29307,7 +29328,7 @@ index 79a45f6..9a14d49 100644
 +	files_etc_filetrans($1, machineid_t, file, "machine-id" )
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..17932ac 100644
+index 17eda24..afe80c5 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -11,10 +11,31 @@ gen_require(`
@@ -29555,7 +29576,7 @@ index 17eda24..17932ac 100644
  
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
-@@ -186,29 +286,213 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +286,214 @@ ifdef(`distro_gentoo',`
  ')
  
  ifdef(`distro_redhat',`
@@ -29736,6 +29757,7 @@ index 17eda24..17932ac 100644
 +
 +optional_policy(`
 +	ipsec_read_config(init_t)
++    ipsec_manage_pid(init_t)
 +')
 +
 +optional_policy(`
@@ -29777,7 +29799,7 @@ index 17eda24..17932ac 100644
  ')
  
  optional_policy(`
-@@ -216,7 +500,30 @@ optional_policy(`
+@@ -216,7 +501,30 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29808,7 +29830,7 @@ index 17eda24..17932ac 100644
  ')
  
  ########################################
-@@ -225,9 +532,9 @@ optional_policy(`
+@@ -225,9 +533,9 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -29820,7 +29842,7 @@ index 17eda24..17932ac 100644
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
  
-@@ -258,12 +565,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +566,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -29837,7 +29859,7 @@ index 17eda24..17932ac 100644
  
  manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
  manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +590,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +591,36 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -29880,7 +29902,7 @@ index 17eda24..17932ac 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +627,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +628,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -29892,7 +29914,7 @@ index 17eda24..17932ac 100644
  dev_rw_sysfs(initrc_t)
  dev_list_usbfs(initrc_t)
  dev_read_framebuffer(initrc_t)
-@@ -313,8 +639,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +640,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -29903,7 +29925,7 @@ index 17eda24..17932ac 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -322,8 +650,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +651,7 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -29913,7 +29935,7 @@ index 17eda24..17932ac 100644
  
  domain_kill_all_domains(initrc_t)
  domain_signal_all_domains(initrc_t)
-@@ -332,7 +659,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +660,6 @@ domain_sigstop_all_domains(initrc_t)
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
@@ -29921,7 +29943,7 @@ index 17eda24..17932ac 100644
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -340,6 +666,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +667,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -29929,7 +29951,7 @@ index 17eda24..17932ac 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -347,14 +674,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +675,15 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -29947,7 +29969,7 @@ index 17eda24..17932ac 100644
  files_read_usr_files(initrc_t)
  files_manage_urandom_seed(initrc_t)
  files_manage_generic_spool(initrc_t)
-@@ -364,8 +692,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +693,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -29961,7 +29983,7 @@ index 17eda24..17932ac 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -375,10 +707,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +708,11 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -29975,7 +29997,7 @@ index 17eda24..17932ac 100644
  mcs_process_set_categories(initrc_t)
  
  mls_file_read_all_levels(initrc_t)
-@@ -387,8 +720,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +721,10 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -29986,7 +30008,7 @@ index 17eda24..17932ac 100644
  
  storage_getattr_fixed_disk_dev(initrc_t)
  storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +733,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +734,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -29994,7 +30016,7 @@ index 17eda24..17932ac 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -416,20 +752,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +753,18 @@ logging_read_all_logs(initrc_t)
  logging_append_all_logs(initrc_t)
  logging_read_audit_config(initrc_t)
  
@@ -30018,7 +30040,7 @@ index 17eda24..17932ac 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +785,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +786,6 @@ ifdef(`distro_gentoo',`
  	allow initrc_t self:process setfscreate;
  	dev_create_null_dev(initrc_t)
  	dev_create_zero_dev(initrc_t)
@@ -30026,7 +30048,7 @@ index 17eda24..17932ac 100644
  	term_create_console_dev(initrc_t)
  
  	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +819,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +820,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -30037,7 +30059,7 @@ index 17eda24..17932ac 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -506,7 +843,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +844,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -30046,7 +30068,7 @@ index 17eda24..17932ac 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -521,6 +858,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +859,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -30054,7 +30076,7 @@ index 17eda24..17932ac 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +879,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +880,7 @@ ifdef(`distro_redhat',`
  	miscfiles_rw_localization(initrc_t)
  	miscfiles_setattr_localization(initrc_t)
  	miscfiles_relabel_localization(initrc_t)
@@ -30062,7 +30084,7 @@ index 17eda24..17932ac 100644
  
  	miscfiles_read_fonts(initrc_t)
  	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +889,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +890,44 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -30107,7 +30129,7 @@ index 17eda24..17932ac 100644
  	')
  
  	optional_policy(`
-@@ -559,14 +934,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +935,31 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -30139,7 +30161,7 @@ index 17eda24..17932ac 100644
  	')
  ')
  
-@@ -577,6 +969,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +970,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -30179,7 +30201,7 @@ index 17eda24..17932ac 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1014,8 @@ optional_policy(`
+@@ -589,6 +1015,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -30188,7 +30210,7 @@ index 17eda24..17932ac 100644
  ')
  
  optional_policy(`
-@@ -610,6 +1037,7 @@ optional_policy(`
+@@ -610,6 +1038,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -30196,7 +30218,7 @@ index 17eda24..17932ac 100644
  ')
  
  optional_policy(`
-@@ -626,6 +1054,17 @@ optional_policy(`
+@@ -626,6 +1055,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30214,7 +30236,7 @@ index 17eda24..17932ac 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -642,9 +1081,13 @@ optional_policy(`
+@@ -642,9 +1082,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -30228,7 +30250,7 @@ index 17eda24..17932ac 100644
  	')
  
  	optional_policy(`
-@@ -657,15 +1100,11 @@ optional_policy(`
+@@ -657,15 +1101,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30246,7 +30268,7 @@ index 17eda24..17932ac 100644
  ')
  
  optional_policy(`
-@@ -686,6 +1125,15 @@ optional_policy(`
+@@ -686,6 +1126,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30262,7 +30284,7 @@ index 17eda24..17932ac 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -726,6 +1174,7 @@ optional_policy(`
+@@ -726,6 +1175,7 @@ optional_policy(`
  	lpd_list_spool(initrc_t)
  
  	lpd_read_config(initrc_t)
@@ -30270,7 +30292,7 @@ index 17eda24..17932ac 100644
  ')
  
  optional_policy(`
-@@ -743,7 +1192,13 @@ optional_policy(`
+@@ -743,7 +1193,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30285,7 +30307,7 @@ index 17eda24..17932ac 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -766,6 +1221,10 @@ optional_policy(`
+@@ -766,6 +1222,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30296,7 +30318,7 @@ index 17eda24..17932ac 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -775,10 +1234,20 @@ optional_policy(`
+@@ -775,10 +1235,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30317,7 +30339,7 @@ index 17eda24..17932ac 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -787,6 +1256,10 @@ optional_policy(`
+@@ -787,6 +1257,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30328,7 +30350,7 @@ index 17eda24..17932ac 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -808,8 +1281,6 @@ optional_policy(`
+@@ -808,8 +1282,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -30337,7 +30359,7 @@ index 17eda24..17932ac 100644
  ')
  
  optional_policy(`
-@@ -818,6 +1289,10 @@ optional_policy(`
+@@ -818,6 +1290,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30348,7 +30370,7 @@ index 17eda24..17932ac 100644
  	# shorewall-init script run /var/lib/shorewall/firewall
  	shorewall_lib_domtrans(initrc_t)
  ')
-@@ -827,10 +1302,12 @@ optional_policy(`
+@@ -827,10 +1303,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -30361,7 +30383,7 @@ index 17eda24..17932ac 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1334,60 @@ optional_policy(`
+@@ -857,21 +1335,60 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30423,7 +30445,7 @@ index 17eda24..17932ac 100644
  ')
  
  optional_policy(`
-@@ -887,6 +1403,10 @@ optional_policy(`
+@@ -887,6 +1404,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30434,7 +30456,7 @@ index 17eda24..17932ac 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -897,3 +1417,218 @@ optional_policy(`
+@@ -897,3 +1418,218 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -32894,7 +32916,7 @@ index 4e94884..b144ffe 100644
 +    logging_log_filetrans($1, var_log_t, dir, "anaconda")
 +')
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1..7b0ef85 100644
+index 59b04c1..19dc9ce 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
 @@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
@@ -32945,7 +32967,15 @@ index 59b04c1..7b0ef85 100644
  
  type syslogd_initrc_exec_t;
  init_script_file(syslogd_initrc_exec_t)
-@@ -76,6 +96,7 @@ files_type(syslogd_var_lib_t)
+@@ -71,11 +91,15 @@ init_script_file(syslogd_initrc_exec_t)
+ type syslogd_tmp_t;
+ files_tmp_file(syslogd_tmp_t)
+ 
++type syslogd_tmpfs_t;
++files_tmpfs_file(syslogd_tmpfs_t)
++
+ type syslogd_var_lib_t;
+ files_type(syslogd_var_lib_t)
  
  type syslogd_var_run_t;
  files_pid_file(syslogd_var_run_t)
@@ -32953,7 +32983,7 @@ index 59b04c1..7b0ef85 100644
  
  type var_log_t;
  logging_log_file(var_log_t)
-@@ -94,6 +115,8 @@ ifdef(`enable_mls',`
+@@ -94,6 +118,8 @@ ifdef(`enable_mls',`
  allow auditctl_t self:capability { fsetid dac_read_search dac_override };
  allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
  
@@ -32962,7 +32992,7 @@ index 59b04c1..7b0ef85 100644
  read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
  allow auditctl_t auditd_etc_t:dir list_dir_perms;
  
-@@ -111,7 +134,7 @@ domain_use_interactive_fds(auditctl_t)
+@@ -111,7 +137,7 @@ domain_use_interactive_fds(auditctl_t)
  
  mls_file_read_all_levels(auditctl_t)
  
@@ -32971,7 +33001,7 @@ index 59b04c1..7b0ef85 100644
  
  init_dontaudit_use_fds(auditctl_t)
  
-@@ -148,6 +171,7 @@ kernel_read_kernel_sysctls(auditd_t)
+@@ -148,6 +174,7 @@ kernel_read_kernel_sysctls(auditd_t)
  # Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
  # Probably want a transition, and a new auditd_helper app
  kernel_read_system_state(auditd_t)
@@ -32979,7 +33009,7 @@ index 59b04c1..7b0ef85 100644
  
  dev_read_sysfs(auditd_t)
  
-@@ -155,9 +179,6 @@ fs_getattr_all_fs(auditd_t)
+@@ -155,9 +182,6 @@ fs_getattr_all_fs(auditd_t)
  fs_search_auto_mountpoints(auditd_t)
  fs_rw_anon_inodefs_files(auditd_t)
  
@@ -32989,7 +33019,7 @@ index 59b04c1..7b0ef85 100644
  corenet_all_recvfrom_netlabel(auditd_t)
  corenet_tcp_sendrecv_generic_if(auditd_t)
  corenet_tcp_sendrecv_generic_node(auditd_t)
-@@ -183,16 +204,17 @@ logging_send_syslog_msg(auditd_t)
+@@ -183,16 +207,17 @@ logging_send_syslog_msg(auditd_t)
  logging_domtrans_dispatcher(auditd_t)
  logging_signal_dispatcher(auditd_t)
  
@@ -33011,7 +33041,7 @@ index 59b04c1..7b0ef85 100644
  userdom_dontaudit_use_unpriv_user_fds(auditd_t)
  userdom_dontaudit_search_user_home_dirs(auditd_t)
  
-@@ -237,19 +259,29 @@ corecmd_exec_shell(audisp_t)
+@@ -237,19 +262,29 @@ corecmd_exec_shell(audisp_t)
  
  domain_use_interactive_fds(audisp_t)
  
@@ -33042,7 +33072,7 @@ index 59b04c1..7b0ef85 100644
  ')
  
  ########################################
-@@ -268,7 +300,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
+@@ -268,7 +303,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
  
  corecmd_exec_bin(audisp_remote_t)
  
@@ -33050,7 +33080,7 @@ index 59b04c1..7b0ef85 100644
  corenet_all_recvfrom_netlabel(audisp_remote_t)
  corenet_tcp_sendrecv_generic_if(audisp_remote_t)
  corenet_tcp_sendrecv_generic_node(audisp_remote_t)
-@@ -280,10 +311,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -280,10 +314,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
  
  files_read_etc_files(audisp_remote_t)
  
@@ -33070,7 +33100,7 @@ index 59b04c1..7b0ef85 100644
  
  sysnet_dns_name_resolve(audisp_remote_t)
  
-@@ -326,7 +365,6 @@ files_read_etc_files(klogd_t)
+@@ -326,7 +368,6 @@ files_read_etc_files(klogd_t)
  
  logging_send_syslog_msg(klogd_t)
  
@@ -33078,7 +33108,7 @@ index 59b04c1..7b0ef85 100644
  
  mls_file_read_all_levels(klogd_t)
  
-@@ -355,13 +393,12 @@ optional_policy(`
+@@ -355,13 +396,12 @@ optional_policy(`
  # sys_admin for the integrated klog of syslog-ng and metalog
  # sys_nice for rsyslog
  # cjp: why net_admin!
@@ -33095,7 +33125,7 @@ index 59b04c1..7b0ef85 100644
  # receive messages to be logged
  allow syslogd_t self:unix_dgram_socket create_socket_perms;
  allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -371,6 +408,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
+@@ -371,6 +411,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
  allow syslogd_t self:tcp_socket create_stream_socket_perms;
  
  allow syslogd_t syslog_conf_t:file read_file_perms;
@@ -33103,10 +33133,14 @@ index 59b04c1..7b0ef85 100644
  
  # Create and bind to /dev/log or /var/run/log.
  allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
-@@ -389,30 +427,42 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -389,30 +430,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
  
++manage_dirs_pattern(syslogd_t, syslogd_tmpfs_t, syslogd_tmpfs_t)
++manage_files_pattern(syslogd_t, syslogd_tmpfs_t, syslogd_tmpfs_t)
++fs_tmpfs_filetrans(syslogd_t, syslogd_tmpfs_t, { dir file })
++
 +manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
  manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
  files_search_var_lib(syslogd_t)
@@ -33149,7 +33183,7 @@ index 59b04c1..7b0ef85 100644
  # syslog-ng can listen and connect on tcp port 514 (rsh)
  corenet_tcp_sendrecv_generic_if(syslogd_t)
  corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -422,6 +472,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -422,6 +479,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
  corenet_tcp_connect_rsh_port(syslogd_t)
  # Allow users to define additional syslog ports to connect to
  corenet_tcp_bind_syslogd_port(syslogd_t)
@@ -33158,7 +33192,7 @@ index 59b04c1..7b0ef85 100644
  corenet_tcp_connect_syslogd_port(syslogd_t)
  corenet_tcp_connect_postgresql_port(syslogd_t)
  corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -432,9 +484,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -432,9 +491,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
  corenet_sendrecv_postgresql_client_packets(syslogd_t)
  corenet_sendrecv_mysqld_client_packets(syslogd_t)
  
@@ -33186,11 +33220,9 @@ index 59b04c1..7b0ef85 100644
  domain_use_interactive_fds(syslogd_t)
  
  files_read_etc_files(syslogd_t)
-@@ -447,14 +516,19 @@ files_read_kernel_symbol_table(syslogd_t)
- files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+@@ -448,13 +524,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
  
  fs_getattr_all_fs(syslogd_t)
-+fs_rw_tmpfs_files(syslogd_t)
  fs_search_auto_mountpoints(syslogd_t)
 +fs_search_cgroup_dirs(syslogd_t)
  
@@ -33206,7 +33238,7 @@ index 59b04c1..7b0ef85 100644
  # for sending messages to logged in users
  init_read_utmp(syslogd_t)
  init_dontaudit_write_utmp(syslogd_t)
-@@ -466,11 +540,11 @@ init_use_fds(syslogd_t)
+@@ -466,11 +546,11 @@ init_use_fds(syslogd_t)
  
  # cjp: this doesnt make sense
  logging_send_syslog_msg(syslogd_t)
@@ -33221,7 +33253,7 @@ index 59b04c1..7b0ef85 100644
  
  ifdef(`distro_gentoo',`
  	# default gentoo syslog-ng config appends kernel
-@@ -507,15 +581,40 @@ optional_policy(`
+@@ -507,15 +587,40 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -33262,7 +33294,7 @@ index 59b04c1..7b0ef85 100644
  ')
  
  optional_policy(`
-@@ -526,3 +625,26 @@ optional_policy(`
+@@ -526,3 +631,26 @@ optional_policy(`
  	# log to the xconsole
  	xserver_rw_console(syslogd_t)
  ')
@@ -39202,10 +39234,10 @@ index 0000000..1d9bdfd
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..1605309
+index 0000000..9785384
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,659 @@
+@@ -0,0 +1,635 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -39491,32 +39523,8 @@ index 0000000..1605309
 +fs_relabel_tmpfs_dirs(systemd_tmpfiles_t)
 +fs_list_all(systemd_tmpfiles_t)
 +
-+files_getattr_all_dirs(systemd_tmpfiles_t)
-+files_getattr_all_files(systemd_tmpfiles_t)
-+files_getattr_all_sockets(systemd_tmpfiles_t)
-+files_getattr_all_symlinks(systemd_tmpfiles_t)
-+files_relabel_all_lock_dirs(systemd_tmpfiles_t)
-+files_relabel_all_lock_files(systemd_tmpfiles_t)
-+files_relabel_all_pid_dirs(systemd_tmpfiles_t)
-+files_relabel_all_pid_files(systemd_tmpfiles_t)
-+files_relabel_all_spool_dirs(systemd_tmpfiles_t)
-+files_manage_all_pids(systemd_tmpfiles_t)
-+files_manage_all_pid_dirs(systemd_tmpfiles_t)
-+files_manage_all_locks(systemd_tmpfiles_t)
-+files_read_generic_tmp_symlinks(systemd_tmpfiles_t)
-+files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
-+files_delete_boot_flag(systemd_tmpfiles_t)
-+files_delete_all_non_security_dirs(systemd_tmpfiles_t)
-+files_delete_all_non_security_files(systemd_tmpfiles_t)
-+files_delete_all_pid_sockets(systemd_tmpfiles_t)
-+files_delete_all_pid_pipes(systemd_tmpfiles_t)
-+files_purge_tmp(systemd_tmpfiles_t)
-+files_manage_generic_tmp_files(systemd_tmpfiles_t)
-+files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
-+files_relabelfrom_tmp_dirs(systemd_tmpfiles_t)
-+files_relabelfrom_tmp_files(systemd_tmpfiles_t)
-+files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
-+files_relabel_all_tmp_files(systemd_tmpfiles_t)
++files_manage_non_auth_files(systemd_tmpfiles_t)
++files_relabel_non_auth_files(systemd_tmpfiles_t)
 +files_list_lost_found(systemd_tmpfiles_t)
 +
 +mls_file_read_all_levels(systemd_tmpfiles_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index bb62aba..a40e705 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -531,7 +531,7 @@ index 058d908..70eb89d 100644
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index eb50f07..189ab37 100644
+index eb50f07..5508cee 100644
 --- a/abrt.te
 +++ b/abrt.te
 @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -808,15 +808,19 @@ index eb50f07..189ab37 100644
  	policykit_domtrans_auth(abrt_t)
  	policykit_read_lib(abrt_t)
  	policykit_read_reload(abrt_t)
-@@ -233,6 +267,7 @@ optional_policy(`
- 	corecmd_exec_all_executables(abrt_t)
+@@ -234,6 +268,11 @@ optional_policy(`
  ')
  
-+# to install debuginfo packages
  optional_policy(`
++    puppet_read_lib(abrt_t)
++')
++
++# to install debuginfo packages
++optional_policy(`
  	rpm_exec(abrt_t)
  	rpm_dontaudit_manage_db(abrt_t)
-@@ -243,6 +278,7 @@ optional_policy(`
+ 	rpm_manage_cache(abrt_t)
+@@ -243,6 +282,7 @@ optional_policy(`
  	rpm_signull(abrt_t)
  ')
  
@@ -824,7 +828,7 @@ index eb50f07..189ab37 100644
  optional_policy(`
  	sendmail_domtrans(abrt_t)
  ')
-@@ -253,9 +289,17 @@ optional_policy(`
+@@ -253,9 +293,17 @@ optional_policy(`
  	sosreport_delete_tmp_files(abrt_t)
  ')
  
@@ -843,7 +847,7 @@ index eb50f07..189ab37 100644
  #
  
  allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -266,9 +310,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -266,9 +314,13 @@ tunable_policy(`abrt_handle_event',`
  	can_exec(abrt_t, abrt_handle_event_exec_t)
  ')
  
@@ -858,7 +862,7 @@ index eb50f07..189ab37 100644
  #
  
  allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -281,6 +329,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -281,6 +333,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -866,7 +870,7 @@ index eb50f07..189ab37 100644
  
  read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
  read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -289,15 +338,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -289,15 +342,20 @@ corecmd_read_all_executables(abrt_helper_t)
  
  domain_read_all_domains_state(abrt_helper_t)
  
@@ -887,7 +891,7 @@ index eb50f07..189ab37 100644
  	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
  	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
  	dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -305,11 +359,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -305,11 +363,25 @@ ifdef(`hide_broken_symptoms',`
  	dev_dontaudit_write_all_chr_files(abrt_helper_t)
  	dev_dontaudit_write_all_blk_files(abrt_helper_t)
  	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -914,7 +918,7 @@ index eb50f07..189ab37 100644
  #
  
  allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -327,10 +395,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -327,10 +399,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
  
  dev_read_urand(abrt_retrace_coredump_t)
  
@@ -928,7 +932,7 @@ index eb50f07..189ab37 100644
  optional_policy(`
  	rpm_exec(abrt_retrace_coredump_t)
  	rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -343,10 +413,11 @@ optional_policy(`
+@@ -343,10 +417,11 @@ optional_policy(`
  
  #######################################
  #
@@ -942,7 +946,7 @@ index eb50f07..189ab37 100644
  allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
  
  domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +436,48 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +440,48 @@ corecmd_exec_shell(abrt_retrace_worker_t)
  
  dev_read_urand(abrt_retrace_worker_t)
  
@@ -994,7 +998,7 @@ index eb50f07..189ab37 100644
  
  #######################################
  #
-@@ -404,7 +485,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,7 +489,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
  #
  
  allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1003,7 +1007,7 @@ index eb50f07..189ab37 100644
  
  read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
  
-@@ -413,16 +494,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -413,16 +498,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
  corecmd_exec_bin(abrt_watch_log_t)
  
  logging_read_all_logs(abrt_watch_log_t)
@@ -1047,7 +1051,7 @@ index eb50f07..189ab37 100644
  ')
  
  #######################################
-@@ -430,10 +537,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +541,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
  # Global local policy
  #
  
@@ -8335,10 +8339,30 @@ index dcd774e..c240ffa 100644
  
  	allow $1 bacula_t:process { ptrace signal_perms };
 diff --git a/bacula.te b/bacula.te
-index f16b000..ed47057 100644
+index f16b000..6cf82b3 100644
 --- a/bacula.te
 +++ b/bacula.te
-@@ -148,9 +148,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
+@@ -43,7 +43,7 @@ role bacula_admin_roles types bacula_admin_t;
+ # Local policy
+ #
+ 
+-allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid};
++allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid setgid setuid};
+ allow bacula_t self:process signal;
+ allow bacula_t self:fifo_file rw_fifo_file_perms;
+ allow bacula_t self:tcp_socket { accept listen };
+@@ -88,6 +88,10 @@ corenet_udp_bind_generic_node(bacula_t)
+ corenet_sendrecv_generic_server_packets(bacula_t)
+ corenet_udp_bind_generic_port(bacula_t)
+ 
++
++#TODO: check port labels for hplip a bacula
++corenet_tcp_bind_bacula_port(bacula_t)
++
+ corenet_sendrecv_hplip_server_packets(bacula_t)
+ corenet_tcp_bind_hplip_port(bacula_t)
+ corenet_udp_bind_hplip_port(bacula_t)
+@@ -148,9 +152,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
  
  domain_use_interactive_fds(bacula_admin_t)
  
@@ -33517,7 +33541,7 @@ index 1a35420..2ea1241 100644
  	logging_search_logs($1)
  	admin_pattern($1, iscsi_log_t)
 diff --git a/iscsi.te b/iscsi.te
-index ca020fa..775dd9f 100644
+index ca020fa..a25fc7f 100644
 --- a/iscsi.te
 +++ b/iscsi.te
 @@ -9,8 +9,8 @@ type iscsid_t;
@@ -33541,7 +33565,20 @@ index ca020fa..775dd9f 100644
  allow iscsid_t self:process { setrlimit setsched signal };
  allow iscsid_t self:fifo_file rw_fifo_file_perms;
  allow iscsid_t self:unix_stream_socket { accept connectto listen };
-@@ -64,11 +63,12 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
+@@ -55,20 +54,22 @@ manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
+ manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
+ fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file })
+ 
+-allow iscsid_t iscsi_var_lib_t:dir list_dir_perms;
+-read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
+-read_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
++manage_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
++manage_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
++manage_dirs_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
++files_var_lib_filetrans(iscsid_t, iscsi_var_lib_t, dir)
+ 
+ manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t)
+ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
  
  can_exec(iscsid_t, iscsid_exec_t)
  
@@ -33555,7 +33592,7 @@ index ca020fa..775dd9f 100644
  corenet_all_recvfrom_netlabel(iscsid_t)
  corenet_tcp_sendrecv_generic_if(iscsid_t)
  corenet_tcp_sendrecv_generic_node(iscsid_t)
-@@ -85,21 +85,26 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
+@@ -85,21 +86,26 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
  corenet_tcp_connect_isns_port(iscsid_t)
  corenet_tcp_sendrecv_isns_port(iscsid_t)
  
@@ -40470,7 +40507,7 @@ index e6136fd..14e2c47 100644
  ifdef(`distro_debian',`
  	optional_policy(`
 diff --git a/mcelog.if b/mcelog.if
-index f89651e..ea89ab1 100644
+index f89651e..c73214d 100644
 --- a/mcelog.if
 +++ b/mcelog.if
 @@ -19,6 +19,25 @@ interface(`mcelog_domtrans',`
@@ -40489,11 +40526,11 @@ index f89651e..ea89ab1 100644
 +#
 +interface(`mcelog_read_log',`
 +	gen_require(`
-+		type mcelog_var_log_t;
++		type mcelog_log_t;
 +	')
 +
 +	logging_search_logs($1)
-+	read_files_pattern($1, mcelog_var_log_t, mcelog_var_log_t)
++	read_files_pattern($1, mcelog_log_t, mcelog_log_t)
 +')
 +
  ########################################
@@ -57777,10 +57814,10 @@ index 0000000..05648bd
 +')
 diff --git a/osad.te b/osad.te
 new file mode 100644
-index 0000000..ac767bc
+index 0000000..a40fcc3
 --- /dev/null
 +++ b/osad.te
-@@ -0,0 +1,38 @@
+@@ -0,0 +1,45 @@
 +policy_module(osad, 1.0.0)
 +
 +########################################
@@ -57819,6 +57856,13 @@ index 0000000..ac767bc
 +
 +dev_read_urand(osad_t)
 +
++optional_policy(`
++    gnome_dontaudit_search_config(osad_t)
++')
++
++optional_policy(`
++    rhnsd_manage_config(osad_t)
++')
 diff --git a/pacemaker.fc b/pacemaker.fc
 index 2f0ad56..d4da0b8 100644
 --- a/pacemaker.fc
@@ -58516,10 +58560,10 @@ index 8176e4a..2df1789 100644
  
 diff --git a/pcp.fc b/pcp.fc
 new file mode 100644
-index 0000000..ceecf91
+index 0000000..9b8cb6b
 --- /dev/null
 +++ b/pcp.fc
-@@ -0,0 +1,22 @@
+@@ -0,0 +1,28 @@
 +/etc/rc\.d/init\.d/pmcd		--	gen_context(system_u:object_r:pcp_pmcd_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/pmlogger 	--      gen_context(system_u:object_r:pcp_pmlogger_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/pmproxy 	--	gen_context(system_u:object_r:pcp_pmproxy_initrc_exec_t,s0)
@@ -58527,7 +58571,13 @@ index 0000000..ceecf91
 +/etc/rc\.d/init\.d/pmie      --       gen_context(system_u:object_r:pcp_pmie_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/pmmgr    --      gen_context(system_u:object_r:pcp_pmmgr_initrc_exec_t,s0)
 +
-+/usr/bin/pmie               --  gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
++/usr/bin/pmie       --      gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
++/usr/bin/pmcd	    --	    gen_context(system_u:object_r:pcp_pmcd_exec_t,s0)
++/usr/bin/pmlogger   --      gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
++/usr/bin/pmproxy    --      gen_context(system_u:object_r:pcp_pmproxy_exec_t,s0)
++/usr/bin/pmwebd	    --	    gen_context(system_u:object_r:pcp_pmwebd_exec_t,s0)
++/usr/bin/pmmgr      --      gen_context(system_u:object_r:pcp_pmmgr_exec_t,s0)
++
 +
 +/usr/libexec/pcp/bin/pmcd	--	gen_context(system_u:object_r:pcp_pmcd_exec_t,s0)
 +/usr/libexec/pcp/bin/pmlogger   --      gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
@@ -58544,10 +58594,10 @@ index 0000000..ceecf91
 +/var/run/pmcd\.socket    --  gen_context(system_u:object_r:pcp_var_run_t,s0)
 diff --git a/pcp.if b/pcp.if
 new file mode 100644
-index 0000000..9ca6d26
+index 0000000..4f074cb
 --- /dev/null
 +++ b/pcp.if
-@@ -0,0 +1,80 @@
+@@ -0,0 +1,100 @@
 +## <summary>The  pcp  command summarizes the status of a Performance Co-Pilot (PCP) installation</summary>
 +
 +######################################
@@ -58628,12 +58678,32 @@ index 0000000..9ca6d26
 +    files_search_pids($1)
 +    admin_pattern($1, pcp_var_run_t)
 +')
++
++########################################
++## <summary>
++##  Allow the specified domain to execute pcp_pmie
++##  in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++##  Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`pcp_pmie_exec',`
++    gen_require(`
++        type pcp_pmie_exec_t;
++    ')
++
++    corecmd_search_bin($1)
++    can_exec($1, pcp_pmie_exec_t)
++')
 diff --git a/pcp.te b/pcp.te
 new file mode 100644
-index 0000000..6493b00
+index 0000000..8ec3a48
 --- /dev/null
 +++ b/pcp.te
-@@ -0,0 +1,150 @@
+@@ -0,0 +1,164 @@
 +policy_module(pcp, 1.0.0)
 +
 +########################################
@@ -58743,7 +58813,7 @@ index 0000000..6493b00
 +
 +optional_policy(`
 +    dbus_system_bus_client(pcp_pmcd_t)
-+    
++
 +    optional_policy(`
 +        avahi_dbus_chat(pcp_pmcd_t)
 +    ')
@@ -58784,6 +58854,20 @@ index 0000000..6493b00
 +corecmd_exec_bin(pcp_pmmgr_t)
 +
 +auth_use_nsswitch(pcp_pmmgr_t)
++
++optional_policy(`
++    pcp_pmie_exec(pcp_pmmgr_t)
++')
++
++########################################
++#
++# pcp_pmie local  policy
++#
++
++allow pcp_pmie_t self:netlink_route_socket { create_socket_perms nlmsg_read };
++
++allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;
++
 diff --git a/pcscd.if b/pcscd.if
 index 43d50f9..7f77d32 100644
 --- a/pcscd.if
@@ -63639,7 +63723,7 @@ index ded95ec..3cf7146 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
  ')
 diff --git a/postfix.te b/postfix.te
-index 5cfb83e..ab42dca 100644
+index 5cfb83e..7a242df 100644
 --- a/postfix.te
 +++ b/postfix.te
 @@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
@@ -63735,8 +63819,9 @@ index 5cfb83e..ab42dca 100644
  ########################################
  #
 -# Common postfix domain local policy
--#
--
++# Postfix master process local policy
+ #
+ 
 -allow postfix_domain self:capability { sys_nice sys_chroot };
 -dontaudit postfix_domain self:capability sys_tty_config;
 -allow postfix_domain self:process { signal_perms setpgid setsched };
@@ -63824,9 +63909,8 @@ index 5cfb83e..ab42dca 100644
 -########################################
 -#
 -# Master local policy
-+# Postfix master process local policy
- #
- 
+-#
+-
 -allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config };
 +# chown is to set the correct ownership of queue dirs
 +allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
@@ -64121,7 +64205,7 @@ index 5cfb83e..ab42dca 100644
  ')
  
  optional_policy(`
-@@ -442,6 +345,7 @@ optional_policy(`
+@@ -442,16 +345,25 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -64129,7 +64213,14 @@ index 5cfb83e..ab42dca 100644
  	mailman_manage_data_files(postfix_local_t)
  	mailman_append_log(postfix_local_t)
  	mailman_read_log(postfix_local_t)
-@@ -452,6 +356,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++    munin_search_lib(postfix_local_t)
++')
++
++optional_policy(`
+ 	nagios_search_spool(postfix_local_t)
  ')
  
  optional_policy(`
@@ -64140,7 +64231,7 @@ index 5cfb83e..ab42dca 100644
  	procmail_domtrans(postfix_local_t)
  ')
  
-@@ -466,15 +374,17 @@ optional_policy(`
+@@ -466,15 +378,17 @@ optional_policy(`
  
  ########################################
  #
@@ -64164,7 +64255,7 @@ index 5cfb83e..ab42dca 100644
  
  manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
  manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
-@@ -484,14 +394,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -484,14 +398,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
  kernel_dontaudit_list_proc(postfix_map_t)
  kernel_dontaudit_read_system_state(postfix_map_t)
  
@@ -64184,7 +64275,7 @@ index 5cfb83e..ab42dca 100644
  
  corecmd_list_bin(postfix_map_t)
  corecmd_read_bin_symlinks(postfix_map_t)
-@@ -500,7 +411,6 @@ corecmd_read_bin_pipes(postfix_map_t)
+@@ -500,7 +415,6 @@ corecmd_read_bin_pipes(postfix_map_t)
  corecmd_read_bin_sockets(postfix_map_t)
  
  files_list_home(postfix_map_t)
@@ -64192,7 +64283,7 @@ index 5cfb83e..ab42dca 100644
  files_read_etc_runtime_files(postfix_map_t)
  files_dontaudit_search_var(postfix_map_t)
  
-@@ -508,21 +418,22 @@ auth_use_nsswitch(postfix_map_t)
+@@ -508,21 +422,22 @@ auth_use_nsswitch(postfix_map_t)
  
  logging_send_syslog_msg(postfix_map_t)
  
@@ -64218,7 +64309,7 @@ index 5cfb83e..ab42dca 100644
  stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
  
  rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-@@ -532,21 +443,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
+@@ -532,21 +447,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
  read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
  delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
  
@@ -64244,7 +64335,7 @@ index 5cfb83e..ab42dca 100644
  
  write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
  
-@@ -557,6 +468,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+@@ -557,6 +472,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
  corecmd_exec_bin(postfix_pipe_t)
  
  optional_policy(`
@@ -64255,7 +64346,7 @@ index 5cfb83e..ab42dca 100644
  	dovecot_domtrans_deliver(postfix_pipe_t)
  ')
  
-@@ -584,19 +499,26 @@ optional_policy(`
+@@ -584,19 +503,26 @@ optional_policy(`
  
  ########################################
  #
@@ -64287,7 +64378,7 @@ index 5cfb83e..ab42dca 100644
  
  term_dontaudit_use_all_ptys(postfix_postdrop_t)
  term_dontaudit_use_all_ttys(postfix_postdrop_t)
-@@ -611,10 +533,7 @@ optional_policy(`
+@@ -611,10 +537,7 @@ optional_policy(`
  	cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
  ')
  
@@ -64299,7 +64390,7 @@ index 5cfb83e..ab42dca 100644
  optional_policy(`
  	fstools_read_pipes(postfix_postdrop_t)
  ')
-@@ -629,17 +548,24 @@ optional_policy(`
+@@ -629,17 +552,24 @@ optional_policy(`
  
  #######################################
  #
@@ -64327,7 +64418,7 @@ index 5cfb83e..ab42dca 100644
  
  init_sigchld_script(postfix_postqueue_t)
  init_use_script_fds(postfix_postqueue_t)
-@@ -655,69 +581,78 @@ optional_policy(`
+@@ -655,69 +585,78 @@ optional_policy(`
  
  ########################################
  #
@@ -64424,7 +64515,7 @@ index 5cfb83e..ab42dca 100644
  ')
  
  optional_policy(`
-@@ -730,29 +665,30 @@ optional_policy(`
+@@ -730,29 +669,30 @@ optional_policy(`
  
  ########################################
  #
@@ -64463,7 +64554,7 @@ index 5cfb83e..ab42dca 100644
  optional_policy(`
  	dovecot_stream_connect_auth(postfix_smtpd_t)
  	dovecot_stream_connect(postfix_smtpd_t)
-@@ -764,6 +700,7 @@ optional_policy(`
+@@ -764,6 +704,7 @@ optional_policy(`
  
  optional_policy(`
  	milter_stream_connect_all(postfix_smtpd_t)
@@ -64471,7 +64562,7 @@ index 5cfb83e..ab42dca 100644
  ')
  
  optional_policy(`
-@@ -774,31 +711,100 @@ optional_policy(`
+@@ -774,31 +715,100 @@ optional_policy(`
  	sasl_connect(postfix_smtpd_t)
  ')
  
@@ -69526,7 +69617,7 @@ index 86ea53c..a2dcf7b 100644
  /usr/bin/qemu-kvm	--	gen_context(system_u:object_r:qemu_exec_t,s0)
  /usr/bin/kvm		--	gen_context(system_u:object_r:qemu_exec_t,s0)
 diff --git a/qemu.if b/qemu.if
-index eaf56b8..580f9ee 100644
+index eaf56b8..c32349e 100644
 --- a/qemu.if
 +++ b/qemu.if
 @@ -1,19 +1,21 @@
@@ -69557,8 +69648,13 @@ index eaf56b8..580f9ee 100644
  	#
  
  	type $1_t;
-@@ -24,7 +26,7 @@ template(`qemu_domain_template',`
+@@ -22,9 +24,12 @@ template(`qemu_domain_template',`
+ 	type $1_tmp_t;
+ 	files_tmp_file($1_tmp_t)
  
++	type $1_tmpfs_t;
++	files_tmpfs_file($1_tmpfs_t)
++
  	##############################
  	#
 -	# Policy
@@ -69566,15 +69662,29 @@ index eaf56b8..580f9ee 100644
  	#
  
  	allow $1_t self:capability { dac_read_search dac_override };
-@@ -41,7 +43,6 @@ template(`qemu_domain_template',`
+@@ -39,9 +44,12 @@ template(`qemu_domain_template',`
+ 	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ 	files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
  
++	manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
++	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
++	files_tmpfs_filetrans($1_t, $1_tmpfs_t, { file dir })
++
  	kernel_read_system_state($1_t)
  
 -	corenet_all_recvfrom_unlabeled($1_t)
  	corenet_all_recvfrom_netlabel($1_t)
  	corenet_tcp_sendrecv_generic_if($1_t)
  	corenet_tcp_sendrecv_generic_node($1_t)
-@@ -70,11 +71,10 @@ template(`qemu_domain_template',`
+@@ -61,7 +69,6 @@ template(`qemu_domain_template',`
+ 
+ 	fs_list_inotifyfs($1_t)
+ 	fs_rw_anon_inodefs_files($1_t)
+-	fs_rw_tmpfs_files($1_t)
+ 
+ 	storage_raw_write_removable_device($1_t)
+ 	storage_raw_read_removable_device($1_t)
+@@ -70,11 +77,10 @@ template(`qemu_domain_template',`
  	term_getattr_pty_fs($1_t)
  	term_use_generic_ptys($1_t)
  
@@ -69587,7 +69697,7 @@ index eaf56b8..580f9ee 100644
  	userdom_attach_admin_tun_iface($1_t)
  
  	optional_policy(`
-@@ -98,38 +98,12 @@ template(`qemu_domain_template',`
+@@ -98,38 +104,12 @@ template(`qemu_domain_template',`
  
  ########################################
  ## <summary>
@@ -69628,7 +69738,7 @@ index eaf56b8..580f9ee 100644
  ## </param>
  #
  interface(`qemu_domtrans',`
-@@ -137,18 +111,17 @@ interface(`qemu_domtrans',`
+@@ -137,18 +117,17 @@ interface(`qemu_domtrans',`
  		type qemu_t, qemu_exec_t;
  	')
  
@@ -69650,7 +69760,7 @@ index eaf56b8..580f9ee 100644
  ## </param>
  #
  interface(`qemu_exec',`
-@@ -156,15 +129,12 @@ interface(`qemu_exec',`
+@@ -156,15 +135,12 @@ interface(`qemu_exec',`
  		type qemu_exec_t;
  	')
  
@@ -69667,7 +69777,7 @@ index eaf56b8..580f9ee 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -173,23 +143,25 @@ interface(`qemu_exec',`
+@@ -173,23 +149,25 @@ interface(`qemu_exec',`
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -69697,7 +69807,7 @@ index eaf56b8..580f9ee 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -202,15 +174,12 @@ interface(`qemu_read_state',`
+@@ -202,15 +180,12 @@ interface(`qemu_read_state',`
  		type qemu_t;
  	')
  
@@ -69715,7 +69825,7 @@ index eaf56b8..580f9ee 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -228,7 +197,7 @@ interface(`qemu_setsched',`
+@@ -228,7 +203,7 @@ interface(`qemu_setsched',`
  
  ########################################
  ## <summary>
@@ -69724,7 +69834,7 @@ index eaf56b8..580f9ee 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -246,7 +215,7 @@ interface(`qemu_signal',`
+@@ -246,7 +221,7 @@ interface(`qemu_signal',`
  
  ########################################
  ## <summary>
@@ -69733,7 +69843,7 @@ index eaf56b8..580f9ee 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -264,48 +233,68 @@ interface(`qemu_kill',`
+@@ -264,48 +239,68 @@ interface(`qemu_kill',`
  
  ########################################
  ## <summary>
@@ -69821,7 +69931,7 @@ index eaf56b8..580f9ee 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -313,58 +302,41 @@ interface(`qemu_manage_tmp_dirs',`
+@@ -313,58 +308,41 @@ interface(`qemu_manage_tmp_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -72488,7 +72598,7 @@ index 951db7f..c0cabe8 100644
 +    files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
  ')
 diff --git a/raid.te b/raid.te
-index c99753f..2eb5455 100644
+index c99753f..c5d944b 100644
 --- a/raid.te
 +++ b/raid.te
 @@ -15,6 +15,15 @@ role mdadm_roles types mdadm_t;
@@ -72603,7 +72713,15 @@ index c99753f..2eb5455 100644
  
  userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
  userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -94,13 +128,30 @@ optional_policy(`
+@@ -90,17 +124,38 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++    dbus_system_bus_client(mdadm_t)
++')
++
++optional_policy(`
+ 	gpm_dontaudit_getattr_gpmctl(mdadm_t)
  ')
  
  optional_policy(`
@@ -76661,10 +76779,10 @@ index 3f32e4b..f97ea42 100644
  
 diff --git a/rhnsd.fc b/rhnsd.fc
 new file mode 100644
-index 0000000..88fe240
+index 0000000..860a91d
 --- /dev/null
 +++ b/rhnsd.fc
-@@ -0,0 +1,7 @@
+@@ -0,0 +1,9 @@
 +/etc/rc\.d/init\.d/rhnsd	--	gen_context(system_u:object_r:rhnsd_initrc_exec_t,s0)
 +
 +/usr/lib/systemd/system/rhnsd.* --  gen_context(system_u:object_r:rhnsd_unit_file_t,s0)
@@ -76672,12 +76790,14 @@ index 0000000..88fe240
 +/usr/sbin/rhnsd		--	gen_context(system_u:object_r:rhnsd_exec_t,s0)
 +
 +/var/run/rhnsd\.pid		--	gen_context(system_u:object_r:rhnsd_var_run_t,s0)
++
++/etc/sysconfig/rhn(/.*)?		gen_context(system_u:object_r:rhnsd_conf_t,s0)
 diff --git a/rhnsd.if b/rhnsd.if
 new file mode 100644
-index 0000000..335573a
+index 0000000..8a5aaf0
 --- /dev/null
 +++ b/rhnsd.if
-@@ -0,0 +1,98 @@
+@@ -0,0 +1,118 @@
 +## <summary>policy for rhnsd</summary>
 +
 +########################################
@@ -76741,6 +76861,26 @@ index 0000000..335573a
 +	ps_process_pattern($1, rhnsd_t)
 +')
 +
++######################################
++## <summary>
++## Allow the specified domain to manage
++## rhnsd configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhnsd_manage_config',`
++    gen_require(`
++        type rhnsd_conf_t;
++    ')
++
++    files_search_etc($1)
++    manage_files_pattern( $1, rhnsd_conf_t, rhnsd_conf_t)
++')
++
 +########################################
 +## <summary>
 +##	All of the rules required to administrate
@@ -76778,10 +76918,10 @@ index 0000000..335573a
 +')
 diff --git a/rhnsd.te b/rhnsd.te
 new file mode 100644
-index 0000000..be2e57e
+index 0000000..898d82c
 --- /dev/null
 +++ b/rhnsd.te
-@@ -0,0 +1,43 @@
+@@ -0,0 +1,47 @@
 +policy_module(rhnsd, 1.0.0)
 +
 +########################################
@@ -76802,6 +76942,9 @@ index 0000000..be2e57e
 +type rhnsd_unit_file_t;
 +systemd_unit_file(rhnsd_unit_file_t)
 +
++type rhnsd_conf_t;
++files_config_file(rhnsd_conf_t)
++
 +########################################
 +#
 +# rhnsd local policy
@@ -76816,14 +76959,15 @@ index 0000000..be2e57e
 +manage_files_pattern(rhnsd_t, rhnsd_var_run_t, rhnsd_var_run_t)
 +files_pid_filetrans(rhnsd_t, rhnsd_var_run_t, { dir file })
 +
-+corecmd_exec_bin(rhnsd_t)
++manage_files_pattern(rhnsd_t, rhnsd_conf_t, rhnsd_conf_t)
 +
++corecmd_exec_bin(rhnsd_t)
 +
 +logging_send_syslog_msg(rhnsd_t)
 +
 +optional_policy(`
-+	# execute rhn_check
-+	rpm_domtrans(rhnsd_t)
++    # execute rhn_check
++    rpm_domtrans(rhnsd_t)
 +')
 diff --git a/rhsmcertd.if b/rhsmcertd.if
 index 6dbc905..4b17c93 100644
@@ -77085,7 +77229,7 @@ index 6dbc905..4b17c93 100644
 -	admin_pattern($1, rhsmcertd_lock_t)
  ')
 diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a2..64b5dee 100644
+index d32e1a2..413f4b8 100644
 --- a/rhsmcertd.te
 +++ b/rhsmcertd.te
 @@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t)
@@ -77106,7 +77250,7 @@ index d32e1a2..64b5dee 100644
  
  manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
  files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
-@@ -52,23 +51,40 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+@@ -52,23 +51,44 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
  kernel_read_network_state(rhsmcertd_t)
  kernel_read_system_state(rhsmcertd_t)
  
@@ -77148,6 +77292,10 @@ index d32e1a2..64b5dee 100644
 +')
 +
 +optional_policy(`
++    rhnsd_manage_config(rhsmcertd_t)
++')
++
++optional_policy(`
  	rpm_read_db(rhsmcertd_t)
 +    rpm_signull(rhsmcertd_t)
  ')
@@ -79546,7 +79694,7 @@ index ef3b225..d248cd3 100644
  	init_labeled_script_domtrans($1, rpm_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/rpm.te b/rpm.te
-index 6fc360e..13ae4ca 100644
+index 6fc360e..4e28c91 100644
 --- a/rpm.te
 +++ b/rpm.te
 @@ -1,15 +1,13 @@
@@ -79836,7 +79984,7 @@ index 6fc360e..13ae4ca 100644
  
  kernel_read_crypto_sysctls(rpm_script_t)
  kernel_read_kernel_sysctls(rpm_script_t)
-@@ -277,45 +293,27 @@ kernel_read_network_state(rpm_script_t)
+@@ -277,45 +293,29 @@ kernel_read_network_state(rpm_script_t)
  kernel_list_all_proc(rpm_script_t)
  kernel_read_software_raid_state(rpm_script_t)
  
@@ -79851,6 +79999,8 @@ index 6fc360e..13ae4ca 100644
 -corenet_tcp_sendrecv_http_port(rpm_script_t)
 -
 -corecmd_exec_all_executables(rpm_script_t)
++# needed by unbound-anchor
++corenet_udp_bind_all_unreserved_ports(rpm_script_t)
  
  dev_list_sysfs(rpm_script_t)
 +
@@ -79886,7 +80036,7 @@ index 6fc360e..13ae4ca 100644
  mls_file_read_all_levels(rpm_script_t)
  mls_file_write_all_levels(rpm_script_t)
  
-@@ -331,30 +329,51 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -331,30 +331,52 @@ storage_raw_write_fixed_disk(rpm_script_t)
  
  term_getattr_unallocated_ttys(rpm_script_t)
  term_list_ptys(rpm_script_t)
@@ -79927,6 +80077,7 @@ index 6fc360e..13ae4ca 100644
 +libs_ldconfig_exec_entry_type(rpm_script_t)
  
  logging_send_syslog_msg(rpm_script_t)
++logging_send_audit_msgs(rpm_script_t)
  
 -miscfiles_read_localization(rpm_script_t)
 +miscfiles_filetrans_named_content(rpm_script_t)
@@ -79947,7 +80098,7 @@ index 6fc360e..13ae4ca 100644
  
  ifdef(`distro_redhat',`
  	optional_policy(`
-@@ -363,41 +382,67 @@ ifdef(`distro_redhat',`
+@@ -363,41 +385,67 @@ ifdef(`distro_redhat',`
  	')
  ')
  
@@ -80026,7 +80177,7 @@ index 6fc360e..13ae4ca 100644
  
  	optional_policy(`
  		java_domtrans_unconfined(rpm_script_t)
-@@ -409,6 +454,6 @@ optional_policy(`
+@@ -409,6 +457,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -81993,7 +82144,7 @@ index 50d07fb..bada62f 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
  ')
 diff --git a/samba.te b/samba.te
-index 2b7c441..71cbfc7 100644
+index 2b7c441..9cda11e 100644
 --- a/samba.te
 +++ b/samba.te
 @@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
@@ -82423,7 +82574,7 @@ index 2b7c441..71cbfc7 100644
  fs_getattr_all_fs(smbd_t)
  fs_getattr_all_dirs(smbd_t)
  fs_get_xattr_fs_quotas(smbd_t)
-@@ -366,44 +368,55 @@ fs_getattr_rpc_dirs(smbd_t)
+@@ -366,44 +368,53 @@ fs_getattr_rpc_dirs(smbd_t)
  fs_list_inotifyfs(smbd_t)
  fs_get_all_fs_quotas(smbd_t)
  
@@ -82471,8 +82622,7 @@ index 2b7c441..71cbfc7 100644
 +ifdef(`hide_broken_symptoms', `
  	files_dontaudit_getattr_default_dirs(smbd_t)
  	files_dontaudit_getattr_boot_dirs(smbd_t)
- 	fs_dontaudit_getattr_tmpfs_dirs(smbd_t)
-+	fs_rw_inherited_tmpfs_files(smbd_t)
+-	fs_dontaudit_getattr_tmpfs_dirs(smbd_t)
  ')
  
 -tunable_policy(`allow_smbd_anon_write',`
@@ -82490,7 +82640,7 @@ index 2b7c441..71cbfc7 100644
  ')
  
  tunable_policy(`samba_domain_controller',`
-@@ -419,20 +432,10 @@ tunable_policy(`samba_domain_controller',`
+@@ -419,20 +430,10 @@ tunable_policy(`samba_domain_controller',`
  ')
  
  tunable_policy(`samba_enable_home_dirs',`
@@ -82513,7 +82663,7 @@ index 2b7c441..71cbfc7 100644
  tunable_policy(`samba_share_nfs',`
  	fs_manage_nfs_dirs(smbd_t)
  	fs_manage_nfs_files(smbd_t)
-@@ -441,6 +444,7 @@ tunable_policy(`samba_share_nfs',`
+@@ -441,6 +442,7 @@ tunable_policy(`samba_share_nfs',`
  	fs_manage_nfs_named_sockets(smbd_t)
  ')
  
@@ -82521,7 +82671,7 @@ index 2b7c441..71cbfc7 100644
  tunable_policy(`samba_share_fusefs',`
  	fs_manage_fusefs_dirs(smbd_t)
  	fs_manage_fusefs_files(smbd_t)
-@@ -448,17 +452,6 @@ tunable_policy(`samba_share_fusefs',`
+@@ -448,17 +450,6 @@ tunable_policy(`samba_share_fusefs',`
  	fs_search_fusefs(smbd_t)
  ')
  
@@ -82539,7 +82689,7 @@ index 2b7c441..71cbfc7 100644
  optional_policy(`
  	ccs_read_config(smbd_t)
  ')
-@@ -466,6 +459,7 @@ optional_policy(`
+@@ -466,6 +457,7 @@ optional_policy(`
  optional_policy(`
  	ctdbd_stream_connect(smbd_t)
  	ctdbd_manage_lib_files(smbd_t)
@@ -82547,7 +82697,7 @@ index 2b7c441..71cbfc7 100644
  ')
  
  optional_policy(`
-@@ -479,6 +473,11 @@ optional_policy(`
+@@ -479,6 +471,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -82559,7 +82709,7 @@ index 2b7c441..71cbfc7 100644
  	lpd_exec_lpr(smbd_t)
  ')
  
-@@ -488,6 +487,10 @@ optional_policy(`
+@@ -488,6 +485,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -82570,7 +82720,7 @@ index 2b7c441..71cbfc7 100644
  	rpc_search_nfs_state_data(smbd_t)
  ')
  
-@@ -499,9 +502,33 @@ optional_policy(`
+@@ -499,9 +500,33 @@ optional_policy(`
  	udev_read_db(smbd_t)
  ')
  
@@ -82605,7 +82755,7 @@ index 2b7c441..71cbfc7 100644
  #
  
  dontaudit nmbd_t self:capability sys_tty_config;
-@@ -512,9 +539,11 @@ allow nmbd_t self:msg { send receive };
+@@ -512,9 +537,11 @@ allow nmbd_t self:msg { send receive };
  allow nmbd_t self:msgq create_msgq_perms;
  allow nmbd_t self:sem create_sem_perms;
  allow nmbd_t self:shm create_shm_perms;
@@ -82620,7 +82770,7 @@ index 2b7c441..71cbfc7 100644
  
  manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
  manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -526,20 +555,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -526,20 +553,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  
  manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -82644,7 +82794,7 @@ index 2b7c441..71cbfc7 100644
  
  kernel_getattr_core_if(nmbd_t)
  kernel_getattr_message_if(nmbd_t)
-@@ -548,52 +572,42 @@ kernel_read_network_state(nmbd_t)
+@@ -548,52 +570,42 @@ kernel_read_network_state(nmbd_t)
  kernel_read_software_raid_state(nmbd_t)
  kernel_read_system_state(nmbd_t)
  
@@ -82711,7 +82861,7 @@ index 2b7c441..71cbfc7 100644
  ')
  
  optional_policy(`
-@@ -606,16 +620,22 @@ optional_policy(`
+@@ -606,16 +618,22 @@ optional_policy(`
  
  ########################################
  #
@@ -82738,7 +82888,7 @@ index 2b7c441..71cbfc7 100644
  
  manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
  
-@@ -627,16 +647,11 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,16 +645,11 @@ domain_use_interactive_fds(smbcontrol_t)
  
  dev_read_urand(smbcontrol_t)
  
@@ -82756,7 +82906,7 @@ index 2b7c441..71cbfc7 100644
  
  optional_policy(`
  	ctdbd_stream_connect(smbcontrol_t)
-@@ -644,22 +659,23 @@ optional_policy(`
+@@ -644,22 +657,23 @@ optional_policy(`
  
  ########################################
  #
@@ -82788,7 +82938,7 @@ index 2b7c441..71cbfc7 100644
  
  allow smbmount_t samba_secrets_t:file manage_file_perms;
  
-@@ -668,26 +684,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +682,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
  
@@ -82824,7 +82974,7 @@ index 2b7c441..71cbfc7 100644
  
  fs_getattr_cifs(smbmount_t)
  fs_mount_cifs(smbmount_t)
-@@ -699,58 +711,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +709,77 @@ fs_read_cifs_files(smbmount_t)
  storage_raw_read_fixed_disk(smbmount_t)
  storage_raw_write_fixed_disk(smbmount_t)
  
@@ -82916,7 +83066,7 @@ index 2b7c441..71cbfc7 100644
  
  manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
  manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +790,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +788,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
  manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
  files_pid_filetrans(swat_t, swat_var_run_t, file)
  
@@ -82940,7 +83090,7 @@ index 2b7c441..71cbfc7 100644
  
  kernel_read_kernel_sysctls(swat_t)
  kernel_read_system_state(swat_t)
-@@ -777,36 +804,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +802,25 @@ kernel_read_network_state(swat_t)
  
  corecmd_search_bin(swat_t)
  
@@ -82983,7 +83133,7 @@ index 2b7c441..71cbfc7 100644
  
  auth_domtrans_chk_passwd(swat_t)
  auth_use_nsswitch(swat_t)
-@@ -818,10 +834,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +832,11 @@ logging_send_syslog_msg(swat_t)
  logging_send_audit_msgs(swat_t)
  logging_search_logs(swat_t)
  
@@ -82997,7 +83147,7 @@ index 2b7c441..71cbfc7 100644
  optional_policy(`
  	cups_read_rw_config(swat_t)
  	cups_stream_connect(swat_t)
-@@ -840,17 +857,20 @@ optional_policy(`
+@@ -840,17 +855,20 @@ optional_policy(`
  # Winbind local policy
  #
  
@@ -83023,7 +83173,7 @@ index 2b7c441..71cbfc7 100644
  
  allow winbind_t samba_etc_t:dir list_dir_perms;
  read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +880,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +878,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
  filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
  
  manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -83034,7 +83184,7 @@ index 2b7c441..71cbfc7 100644
  manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
  
  manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,23 +891,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,23 +889,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
  
  rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
  
@@ -83064,7 +83214,7 @@ index 2b7c441..71cbfc7 100644
  manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
  
  kernel_read_network_state(winbind_t)
-@@ -898,13 +914,17 @@ kernel_read_system_state(winbind_t)
+@@ -898,13 +912,17 @@ kernel_read_system_state(winbind_t)
  
  corecmd_exec_bin(winbind_t)
  
@@ -83085,7 +83235,7 @@ index 2b7c441..71cbfc7 100644
  corenet_tcp_connect_smbd_port(winbind_t)
  corenet_tcp_connect_epmap_port(winbind_t)
  corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,10 +932,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,10 +930,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
  dev_read_sysfs(winbind_t)
  dev_read_urand(winbind_t)
  
@@ -83096,7 +83246,7 @@ index 2b7c441..71cbfc7 100644
  
  fs_getattr_all_fs(winbind_t)
  fs_search_auto_mountpoints(winbind_t)
-@@ -924,26 +940,39 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -924,26 +938,39 @@ auth_domtrans_chk_passwd(winbind_t)
  auth_use_nsswitch(winbind_t)
  auth_manage_cache(winbind_t)
  
@@ -83138,7 +83288,7 @@ index 2b7c441..71cbfc7 100644
  ')
  
  optional_policy(`
-@@ -959,31 +988,29 @@ optional_policy(`
+@@ -959,31 +986,29 @@ optional_policy(`
  # Winbind helper local policy
  #
  
@@ -83176,7 +83326,7 @@ index 2b7c441..71cbfc7 100644
  
  optional_policy(`
  	apache_append_log(winbind_helper_t)
-@@ -997,25 +1024,38 @@ optional_policy(`
+@@ -997,25 +1022,38 @@ optional_policy(`
  
  ########################################
  #
@@ -83839,10 +83989,10 @@ index 0000000..e30b346
 +')
 diff --git a/sandboxX.te b/sandboxX.te
 new file mode 100644
-index 0000000..0161658
+index 0000000..01ff0ea
 --- /dev/null
 +++ b/sandboxX.te
-@@ -0,0 +1,498 @@
+@@ -0,0 +1,496 @@
 +policy_module(sandboxX,1.0.0)
 +
 +dbus_stub()
@@ -84021,8 +84171,6 @@ index 0000000..0161658
 +fs_getattr_xattr_fs(sandbox_x_domain)
 +fs_list_inotifyfs(sandbox_x_domain)
 +fs_dontaudit_getattr_xattr_fs(sandbox_x_domain)
-+# Random tmpfs_t that gets created when you run X. 
-+fs_rw_tmpfs_files(sandbox_x_domain)
 +fs_get_xattr_fs_quotas(sandbox_x_domain)
 +
 +auth_dontaudit_read_login_records(sandbox_x_domain)
@@ -87968,12 +88116,14 @@ index cbfe369..6594af3 100644
  	files_search_var_lib($1)
 diff --git a/snapper.fc b/snapper.fc
 new file mode 100644
-index 0000000..48c0623
+index 0000000..1cb1360
 --- /dev/null
 +++ b/snapper.fc
-@@ -0,0 +1,3 @@
+@@ -0,0 +1,5 @@
 +/usr/sbin/snapperd		--	gen_context(system_u:object_r:snapperd_exec_t,s0)
 +
++/etc/snapper(/.*)?          gen_context(system_u:object_r:snapperd_conf_t,s0)
++
 +/var/log/snapper\.log.* --  gen_context(system_u:object_r:snapperd_log_t,s0)
 diff --git a/snapper.if b/snapper.if
 new file mode 100644
@@ -88025,10 +88175,10 @@ index 0000000..94105ee
 +')
 diff --git a/snapper.te b/snapper.te
 new file mode 100644
-index 0000000..3df20a6
+index 0000000..838f907
 --- /dev/null
 +++ b/snapper.te
-@@ -0,0 +1,56 @@
+@@ -0,0 +1,66 @@
 +policy_module(snapper, 1.0.0)
 +
 +########################################
@@ -88043,6 +88193,9 @@ index 0000000..3df20a6
 +type snapperd_log_t;
 +logging_log_file(snapperd_log_t)
 +
++type snappperd_conf_t;
++files_config_file(snappperd_conf_t)
++
 +type snapperd_data_t;
 +files_type(snapperd_data_t)
 +
@@ -88057,6 +88210,10 @@ index 0000000..3df20a6
 +manage_files_pattern(snapperd_t, snapperd_log_t, snapperd_log_t)
 +logging_log_filetrans(snapperd_t, snapperd_log_t, file)
 +
++manage_files_pattern(snapperd_t, snapperd_conf_t, snapperd_conf_t)
++manage_dirs_pattern(snapperd_t, snapperd_conf_t, snapperd_conf_t)
++manage_lnk_files_pattern(snapperd_t, snapperd_conf_t, snapperd_conf_t)
++
 +manage_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
 +manage_dirs_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
 +manage_lnk_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
@@ -88085,6 +88242,9 @@ index 0000000..3df20a6
 +    mount_domtrans(snapperd_t)
 +')
 +
++optional_policy(`
++    lvm_domtrans(snapperd_t)
++')
 diff --git a/snmp.fc b/snmp.fc
 index 2f0a2f2..1569e33 100644
 --- a/snmp.fc
@@ -89172,7 +89332,7 @@ index 1499b0b..6950cab 100644
 -	spamassassin_role($2, $1)
  ')
 diff --git a/spamassassin.te b/spamassassin.te
-index cc58e35..6e9cde8 100644
+index cc58e35..b9e1c32 100644
 --- a/spamassassin.te
 +++ b/spamassassin.te
 @@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1)
@@ -89700,7 +89860,7 @@ index cc58e35..6e9cde8 100644
  corenet_all_recvfrom_netlabel(spamd_t)
  corenet_tcp_sendrecv_generic_if(spamd_t)
  corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -331,78 +435,58 @@ corenet_udp_sendrecv_generic_node(spamd_t)
+@@ -331,78 +435,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
  corenet_tcp_sendrecv_all_ports(spamd_t)
  corenet_udp_sendrecv_all_ports(spamd_t)
  corenet_tcp_bind_generic_node(spamd_t)
@@ -89710,6 +89870,7 @@ index cc58e35..6e9cde8 100644
  corenet_tcp_bind_spamd_port(spamd_t)
 -
 -corenet_sendrecv_razor_client_packets(spamd_t)
++corenet_tcp_connect_spamd_port(spamd_t)
  corenet_tcp_connect_razor_port(spamd_t)
 -
 -corenet_sendrecv_smtp_client_packets(spamd_t)
@@ -89803,7 +89964,7 @@ index cc58e35..6e9cde8 100644
  ')
  
  optional_policy(`
-@@ -421,21 +505,13 @@ optional_policy(`
+@@ -421,21 +506,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -89827,7 +89988,7 @@ index cc58e35..6e9cde8 100644
  ')
  
  optional_policy(`
-@@ -443,8 +519,8 @@ optional_policy(`
+@@ -443,8 +520,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -89837,7 +89998,7 @@ index cc58e35..6e9cde8 100644
  ')
  
  optional_policy(`
-@@ -455,7 +531,12 @@ optional_policy(`
+@@ -455,7 +532,12 @@ optional_policy(`
  optional_policy(`
  	razor_domtrans(spamd_t)
  	razor_read_lib_files(spamd_t)
@@ -89851,7 +90012,7 @@ index cc58e35..6e9cde8 100644
  ')
  
  optional_policy(`
-@@ -463,9 +544,9 @@ optional_policy(`
+@@ -463,9 +545,9 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -89862,7 +90023,7 @@ index cc58e35..6e9cde8 100644
  ')
  
  optional_policy(`
-@@ -474,32 +555,32 @@ optional_policy(`
+@@ -474,32 +556,32 @@ optional_policy(`
  
  ########################################
  #
@@ -89905,7 +90066,7 @@ index cc58e35..6e9cde8 100644
  
  corecmd_exec_bin(spamd_update_t)
  corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +589,21 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +590,21 @@ dev_read_urand(spamd_update_t)
  
  domain_use_interactive_fds(spamd_update_t)
  
@@ -98690,7 +98851,7 @@ index facdee8..fddb027 100644
 +	virt_stream_connect($1)
  ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..215ace6 100644
+index f03dcf5..81e9d56 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,150 +1,197 @@
@@ -99663,7 +99824,13 @@ index f03dcf5..215ace6 100644
 -manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
 -manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
 +kernel_read_net_sysctls(virt_domain)
-+
+ 
+-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 +userdom_search_user_home_content(virt_domain)
 +userdom_read_user_home_content_symlinks(virt_domain)
 +userdom_read_all_users_state(virt_domain)
@@ -99674,19 +99841,14 @@ index f03dcf5..215ace6 100644
 +filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
 +stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
  
--manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
 +manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
 +manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
 +files_var_filetrans(virt_domain, virt_cache_t, { file dir })
  
--manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
 +read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
 +
 +manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
@@ -99718,13 +99880,12 @@ index f03dcf5..215ace6 100644
 +
 +dontaudit virtd_t virt_domain:process  { siginh noatsecure rlimitinh };
  
--dontaudit virsh_t virt_var_lib_t:file read_file_perms;
-+dontaudit virt_domain virt_tmpfs_type:file { read write };
- 
 -allow virsh_t svirt_lxc_domain:process transition;
-+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
++dontaudit virt_domain virt_tmpfs_type:file { read write };
  
 -can_exec(virsh_t, virsh_exec_t)
++append_files_pattern(virt_domain, virt_log_t, virt_log_t)
++
 +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
 +
 +corecmd_exec_bin(virt_domain)
@@ -99806,7 +99967,7 @@ index f03dcf5..215ace6 100644
 +	sssd_dontaudit_read_lib(virt_domain)
 +	sssd_dontaudit_read_public_files(virt_domain)
 +')
- 
++
 +optional_policy(`
 +	virt_read_config(virt_domain)
 +	virt_read_lib_files(virt_domain)
@@ -99824,7 +99985,7 @@ index f03dcf5..215ace6 100644
 +	term_use_unallocated_ttys(virt_domain)
 +	dev_rw_printer(virt_domain)
 +')
-+
+ 
 +tunable_policy(`virt_use_fusefs',`
 +	fs_manage_fusefs_dirs(virt_domain)
 +	fs_manage_fusefs_files(virt_domain)
@@ -99969,10 +100130,10 @@ index f03dcf5..215ace6 100644
  
 -logging_send_syslog_msg(virsh_t)
 +systemd_exec_systemctl(virsh_t)
++
++auth_read_passwd(virsh_t)
  
 -miscfiles_read_localization(virsh_t)
-+auth_read_passwd(virsh_t)
-+
 +logging_send_syslog_msg(virsh_t)
  
  sysnet_dns_name_resolve(virsh_t)
@@ -100165,7 +100326,8 @@ index f03dcf5..215ace6 100644
 +optional_policy(`
 +	docker_exec_lib(virtd_lxc_t)
 +')
-+
+ 
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
 +optional_policy(`
 +	gnome_read_generic_cache_files(virtd_lxc_t)
 +')
@@ -100173,8 +100335,7 @@ index f03dcf5..215ace6 100644
 +optional_policy(`
 +	setrans_manage_pid_files(virtd_lxc_t)
 +')
- 
--sysnet_domtrans_ifconfig(virtd_lxc_t)
++
 +optional_policy(`
 +	unconfined_domain(virtd_lxc_t)
 +')
@@ -100272,6 +100433,12 @@ index f03dcf5..215ace6 100644
 +	apache_exec_modules(svirt_sandbox_domain)
 +	apache_read_sys_content(svirt_sandbox_domain)
 +')
++
++optional_policy(`
++	docker_read_share_files(svirt_sandbox_domain)
++	docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
++	docker_use_ptys(svirt_sandbox_domain)
++')
  
 -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
 -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -100356,27 +100523,21 @@ index f03dcf5..215ace6 100644
 -
 -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
 +optional_policy(`
-+	docker_read_share_files(svirt_sandbox_domain)
-+	docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
-+	docker_use_ptys(svirt_sandbox_domain)
++	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
 +')
 +
 +optional_policy(`
-+	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++	ssh_use_ptys(svirt_sandbox_domain)
 +')
  
  optional_policy(`
 -	udev_read_pid_files(svirt_lxc_domain)
-+	ssh_use_ptys(svirt_sandbox_domain)
++	udev_read_pid_files(svirt_sandbox_domain)
  ')
  
  optional_policy(`
 -	apache_exec_modules(svirt_lxc_domain)
 -	apache_read_sys_content(svirt_lxc_domain)
-+	udev_read_pid_files(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
 +	userhelper_dontaudit_write_config(svirt_sandbox_domain)
  ')
  
@@ -100404,10 +100565,6 @@ index f03dcf5..215ace6 100644
 -kernel_read_network_state(svirt_lxc_net_t)
 -kernel_read_irq_sysctls(svirt_lxc_net_t)
 +allow svirt_lxc_net_t self:process { execstack execmem };
-+
-+tunable_policy(`virt_sandbox_use_sys_admin',`
-+	allow svirt_lxc_net_t self:capability sys_admin;
-+')
  
 -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
 -corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
@@ -100419,6 +100576,13 @@ index f03dcf5..215ace6 100644
 -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
 -corenet_tcp_bind_generic_node(svirt_lxc_net_t)
 -corenet_udp_bind_generic_node(svirt_lxc_net_t)
++tunable_policy(`virt_sandbox_use_sys_admin',`
++	allow svirt_lxc_net_t self:capability sys_admin;
++')
+ 
+-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
+-corenet_udp_bind_all_ports(svirt_lxc_net_t)
+-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
 +tunable_policy(`virt_sandbox_use_netlink',`
 +	allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
 +	allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
@@ -100427,14 +100591,11 @@ index f03dcf5..215ace6 100644
 +	logging_dontaudit_send_audit_msgs(svirt_lxc_net_t)
 +')
  
--corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
--corenet_udp_bind_all_ports(svirt_lxc_net_t)
--corenet_tcp_bind_all_ports(svirt_lxc_net_t)
-+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
-+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
- 
 -corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
 -corenet_tcp_connect_all_ports(svirt_lxc_net_t)
++allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
++allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
++
 +kernel_read_irq_sysctls(svirt_lxc_net_t)
  
 +dev_read_sysfs(svirt_lxc_net_t)
@@ -100503,15 +100664,15 @@ index f03dcf5..215ace6 100644
 +dev_rw_kvm(svirt_qemu_net_t)
 +
 +manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
- 
--allow svirt_prot_exec_t self:process { execmem execstack };
++
 +list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
 +read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
 +
 +append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
 +
 +kernel_read_irq_sysctls(svirt_qemu_net_t)
-+
+ 
+-allow svirt_prot_exec_t self:process { execmem execstack };
 +dev_read_sysfs(svirt_qemu_net_t)
 +dev_getattr_mtrr_dev(svirt_qemu_net_t)
 +dev_read_rand(svirt_qemu_net_t)
@@ -100576,7 +100737,7 @@ index f03dcf5..215ace6 100644
  allow virt_bridgehelper_t self:process { setcap getcap };
  allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
  allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1207,5 +1430,198 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1430,206 @@ kernel_read_network_state(virt_bridgehelper_t)
  
  corenet_rw_tun_tap_dev(virt_bridgehelper_t)
  
@@ -100589,7 +100750,7 @@ index f03dcf5..215ace6 100644
 +# virt_qemu_ga local policy
 +#
 +
-+allow virt_qemu_ga_t self:capability { sys_admin sys_tty_config };
++allow virt_qemu_ga_t self:capability { sys_admin sys_time sys_tty_config };
 +
 +allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms;
 +allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms;
@@ -100617,7 +100778,10 @@ index f03dcf5..215ace6 100644
 +corecmd_exec_shell(virt_qemu_ga_t)
 +corecmd_exec_bin(virt_qemu_ga_t)
 +
++clock_read_adjtime(virt_qemu_ga_t)
++
 +dev_rw_sysfs(virt_qemu_ga_t)
++dev_rw_realtime_clock(virt_qemu_ga_t)
 +
 +files_list_all_mountpoints(virt_qemu_ga_t)
 +files_write_all_mountpoints(virt_qemu_ga_t)
@@ -100630,6 +100794,7 @@ index f03dcf5..215ace6 100644
 +term_use_unallocated_ttys(virt_qemu_ga_t)
 +
 +logging_send_syslog_msg(virt_qemu_ga_t)
++logging_send_audit_msgs(virt_qemu_ga_t)
 +
 +sysnet_dns_name_resolve(virt_qemu_ga_t)
 +
@@ -100643,6 +100808,10 @@ index f03dcf5..215ace6 100644
 +')
 +
 +optional_policy(`
++    clock_domtrans(virt_qemu_ga_t)
++')
++
++optional_policy(`
 +    dbus_system_bus_client(virt_qemu_ga_t)
 +')
 +
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 612727d..a1af035 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 22%{?dist}
+Release: 23%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -578,6 +578,40 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Feb 11 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-23
+- Addopt corenet rules for unbound-anchor to rpm_script_t
+- Allow runuser to send send audit messages.
+- Allow postfix-local to search .forward in munin lib dirs
+- Allow udisks to connect to D-Bus
+- Allow spamd to connect to spamd port
+- Fix syntax error in snapper.te
+- Dontaudit osad to search gconf home files
+- Allow rhsmcertd to manage /etc/sysconf/rhn director
+- Fix pcp labeling to accept /usr/bin for all daemon binaries
+- Fix mcelog_read_log() interface
+- Allow iscsid to manage iscsi lib files
+- Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it.
+- Make tuned_t as unconfined domain for RHEL7.0
+- Allow ABRT to read puppet certs
+- Add sys_time capability for virt-ga
+- Allow gemu-ga to domtrans to hwclock_t
+- Allow additional access for virt_qemu_ga_t processes to read system clock and send audit messages
+- Fix some AVCs in pcp policy
+- Add to bacula capability setgid and setuid and allow to bind to bacula ports
+- Changed label from rhnsd_rw_conf_t to rhnsd_conf_t
+- Add access rhnsd and osad to /etc/sysconfig/rhn
+- drbdadm executes drbdmeta
+- Fixes needed for docker
+- Allow epmd to manage /var/log/rabbitmq/startup_err file
+- Allow beam.smp connect to amqp port
+- Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true
+- Allow init_t to manage pluto.ctl because of init_t instead of initrc_t
+- Allow systemd_tmpfiles_t to manage all non security files on the system
+- Added labels for bacula ports
+- Fix label on /dev/vfio/vfio
+- Add kernel_mounton_messages() interface
+- init wants to manage lock files for iscsi
+
 * Wed Feb 5 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-22
 - Fix /dev/vfio/vfio labeling