diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index fcb5143..59592da 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -6065,7 +6065,7 @@ index b31c054..872ff1b 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..d36451a 100644
+index 76f285e..0e6161d 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -6566,7 +6566,7 @@ index 76f285e..d36451a 100644
##
##
##
-@@ -2043,7 +2285,101 @@ interface(`dev_getattr_framebuffer_dev',`
+@@ -2043,7 +2285,99 @@ interface(`dev_getattr_framebuffer_dev',`
##
##
#
@@ -6635,8 +6635,6 @@ index 76f285e..d36451a 100644
+ rw_blk_files_pattern($1, device_t, infiniband_device_t)
+')
+
-+
-+
+########################################
+##
+## Get the attributes of the framebuffer device node.
@@ -6669,7 +6667,7 @@ index 76f285e..d36451a 100644
gen_require(`
type device_t, framebuf_device_t;
')
-@@ -2402,7 +2738,97 @@ interface(`dev_filetrans_lirc',`
+@@ -2402,7 +2736,97 @@ interface(`dev_filetrans_lirc',`
########################################
##
@@ -6768,7 +6766,7 @@ index 76f285e..d36451a 100644
##
##
##
-@@ -2725,7 +3151,7 @@ interface(`dev_write_misc',`
+@@ -2725,7 +3149,7 @@ interface(`dev_write_misc',`
##
##
##
@@ -6777,7 +6775,7 @@ index 76f285e..d36451a 100644
##
##
#
-@@ -2811,6 +3237,78 @@ interface(`dev_rw_modem',`
+@@ -2811,6 +3235,78 @@ interface(`dev_rw_modem',`
########################################
##
@@ -6856,7 +6854,7 @@ index 76f285e..d36451a 100644
## Get the attributes of the mouse devices.
##
##
-@@ -2903,20 +3401,20 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2903,20 +3399,20 @@ interface(`dev_getattr_mtrr_dev',`
########################################
##
@@ -6881,7 +6879,7 @@ index 76f285e..d36451a 100644
##
##
##
-@@ -2925,43 +3423,34 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2925,43 +3421,34 @@ interface(`dev_getattr_mtrr_dev',`
##
##
#
@@ -6937,7 +6935,7 @@ index 76f285e..d36451a 100644
## range registers (MTRR).
##
##
-@@ -2970,13 +3459,13 @@ interface(`dev_write_mtrr',`
+@@ -2970,13 +3457,13 @@ interface(`dev_write_mtrr',`
##
##
#
@@ -6954,7 +6952,7 @@ index 76f285e..d36451a 100644
')
########################################
-@@ -3144,48 +3633,102 @@ interface(`dev_create_null_dev',`
+@@ -3144,52 +3631,106 @@ interface(`dev_create_null_dev',`
########################################
##
@@ -7013,9 +7011,10 @@ index 76f285e..d36451a 100644
##
-## Domain allowed access.
+## Domain to not audit.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`dev_getattr_printer_dev',`
+interface(`dev_dontaudit_getattr_nvram_dev',`
+ gen_require(`
+ type nvram_device_t;
@@ -7067,54 +7066,58 @@ index 76f285e..d36451a 100644
+##
+##
+## Domain allowed access.
- ##
- ##
- #
-@@ -3254,7 +3797,25 @@ interface(`dev_rw_printer',`
++##
++##
++#
++interface(`dev_getattr_printer_dev',`
+ gen_require(`
+ type device_t, printer_device_t;
+ ')
+@@ -3254,7 +3795,7 @@ interface(`dev_rw_printer',`
########################################
##
-## Read printk devices (e.g., /dev/kmsg /dev/mcelog)
+## Relabel the printer device node.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_relabel_printer',`
-+ gen_require(`
-+ type printer_device_t;
-+ ')
-+
-+ allow $1 printer_device_t:chr_file relabel_chr_file_perms;
-+')
-+
-+########################################
-+##
-+## Read and write the printer device.
##
##
##
-@@ -3262,12 +3823,13 @@ interface(`dev_rw_printer',`
+@@ -3262,12 +3803,31 @@ interface(`dev_rw_printer',`
##
##
#
-interface(`dev_read_printk',`
-+interface(`dev_manage_printer',`
++interface(`dev_relabel_printer',`
gen_require(`
- type device_t, printk_device_t;
-+ type device_t, printer_device_t;
++ type printer_device_t;
')
- read_chr_files_pattern($1, device_t, printk_device_t)
++ allow $1 printer_device_t:chr_file relabel_chr_file_perms;
++')
++
++########################################
++##
++## Read and write the printer device.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_manage_printer',`
++ gen_require(`
++ type device_t, printer_device_t;
++ ')
++
+ manage_chr_files_pattern($1, device_t, printer_device_t)
+ dev_filetrans_printer_named_dev($1)
')
########################################
-@@ -3399,7 +3961,7 @@ interface(`dev_dontaudit_read_rand',`
+@@ -3399,7 +3959,7 @@ interface(`dev_dontaudit_read_rand',`
########################################
##
@@ -7123,7 +7126,7 @@ index 76f285e..d36451a 100644
## number generator devices (e.g., /dev/random)
##
##
-@@ -3413,7 +3975,7 @@ interface(`dev_dontaudit_append_rand',`
+@@ -3413,7 +3973,7 @@ interface(`dev_dontaudit_append_rand',`
type random_device_t;
')
@@ -7132,7 +7135,7 @@ index 76f285e..d36451a 100644
')
########################################
-@@ -3855,6 +4417,96 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,6 +4415,96 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
##
@@ -7229,7 +7232,7 @@ index 76f285e..d36451a 100644
## Search the sysfs directories.
##
##
-@@ -3904,6 +4556,7 @@ interface(`dev_list_sysfs',`
+@@ -3904,6 +4554,7 @@ interface(`dev_list_sysfs',`
type sysfs_t;
')
@@ -7237,7 +7240,7 @@ index 76f285e..d36451a 100644
list_dirs_pattern($1, sysfs_t, sysfs_t)
')
-@@ -3946,23 +4599,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3946,23 +4597,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
##
@@ -7291,7 +7294,7 @@ index 76f285e..d36451a 100644
########################################
##
## Read hardware state information.
-@@ -4016,6 +4695,62 @@ interface(`dev_rw_sysfs',`
+@@ -4016,6 +4693,62 @@ interface(`dev_rw_sysfs',`
########################################
##
@@ -7354,7 +7357,7 @@ index 76f285e..d36451a 100644
## Read and write the TPM device.
##
##
-@@ -4113,6 +4848,25 @@ interface(`dev_write_urand',`
+@@ -4113,6 +4846,25 @@ interface(`dev_write_urand',`
########################################
##
@@ -7380,7 +7383,7 @@ index 76f285e..d36451a 100644
## Getattr generic the USB devices.
##
##
-@@ -4123,7 +4877,7 @@ interface(`dev_write_urand',`
+@@ -4123,7 +4875,7 @@ interface(`dev_write_urand',`
#
interface(`dev_getattr_generic_usb_dev',`
gen_require(`
@@ -7389,7 +7392,7 @@ index 76f285e..d36451a 100644
')
getattr_chr_files_pattern($1, device_t, usb_device_t)
-@@ -4409,9 +5163,9 @@ interface(`dev_rw_usbfs',`
+@@ -4409,9 +5161,9 @@ interface(`dev_rw_usbfs',`
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
')
@@ -7401,7 +7404,7 @@ index 76f285e..d36451a 100644
##
##
##
-@@ -4419,17 +5173,17 @@ interface(`dev_rw_usbfs',`
+@@ -4419,17 +5171,17 @@ interface(`dev_rw_usbfs',`
##
##
#
@@ -7424,7 +7427,7 @@ index 76f285e..d36451a 100644
##
##
##
-@@ -4437,12 +5191,12 @@ interface(`dev_getattr_video_dev',`
+@@ -4437,12 +5189,12 @@ interface(`dev_getattr_video_dev',`
##
##
#
@@ -7440,7 +7443,7 @@ index 76f285e..d36451a 100644
')
########################################
-@@ -4539,6 +5293,134 @@ interface(`dev_write_video_dev',`
+@@ -4539,6 +5291,134 @@ interface(`dev_write_video_dev',`
########################################
##
@@ -7575,7 +7578,7 @@ index 76f285e..d36451a 100644
## Allow read/write the vhost net device
##
##
-@@ -4557,6 +5439,24 @@ interface(`dev_rw_vhost',`
+@@ -4557,6 +5437,24 @@ interface(`dev_rw_vhost',`
########################################
##
@@ -7600,7 +7603,7 @@ index 76f285e..d36451a 100644
## Read and write VMWare devices.
##
##
-@@ -4762,6 +5662,44 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5660,44 @@ interface(`dev_rw_xserver_misc',`
########################################
##
@@ -7645,7 +7648,7 @@ index 76f285e..d36451a 100644
## Read and write to the zero device (/dev/zero).
##
##
-@@ -4851,3 +5789,948 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5787,966 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -7725,6 +7728,24 @@ index 76f285e..d36451a 100644
+
+########################################
+##
++## Read and write uhid devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_uhid_dev',`
++ gen_require(`
++ type device_t, uhid_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, uhid_device_t)
++')
++
++########################################
++##
+## Create all named devices with the correct label
+##
+##
@@ -27234,7 +27255,7 @@ index 2479587..890e1e2 100644
/var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..12dca57 100644
+index 3efd5b6..9e85ea0 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -27296,7 +27317,7 @@ index 3efd5b6..12dca57 100644
')
########################################
-@@ -95,48 +117,20 @@ interface(`auth_use_pam',`
+@@ -95,69 +117,67 @@ interface(`auth_use_pam',`
interface(`auth_login_pgm_domain',`
gen_require(`
type var_auth_t, auth_cache_t;
@@ -27350,7 +27371,10 @@ index 3efd5b6..12dca57 100644
mls_file_read_all_levels($1)
mls_file_write_all_levels($1)
-@@ -146,18 +140,43 @@ interface(`auth_login_pgm_domain',`
+ mls_file_upgrade($1)
+ mls_file_downgrade($1)
+ mls_process_set_level($1)
++ mls_process_write_to_clearance($1)
mls_fd_share_all_levels($1)
auth_use_pam($1)
@@ -27402,7 +27426,7 @@ index 3efd5b6..12dca57 100644
')
########################################
-@@ -231,6 +250,25 @@ interface(`auth_domtrans_login_program',`
+@@ -231,6 +251,25 @@ interface(`auth_domtrans_login_program',`
########################################
##
@@ -27428,7 +27452,7 @@ index 3efd5b6..12dca57 100644
## Execute a login_program in the target domain,
## with a range transition.
##
-@@ -322,6 +360,24 @@ interface(`auth_rw_cache',`
+@@ -322,6 +361,24 @@ interface(`auth_rw_cache',`
########################################
##
@@ -27453,7 +27477,7 @@ index 3efd5b6..12dca57 100644
## Manage authentication cache
##
##
-@@ -402,6 +458,8 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -402,6 +459,8 @@ interface(`auth_domtrans_chk_passwd',`
optional_policy(`
samba_stream_connect_winbind($1)
')
@@ -27462,7 +27486,7 @@ index 3efd5b6..12dca57 100644
')
########################################
-@@ -428,6 +486,24 @@ interface(`auth_domtrans_chkpwd',`
+@@ -428,6 +487,24 @@ interface(`auth_domtrans_chkpwd',`
########################################
##
@@ -27487,7 +27511,7 @@ index 3efd5b6..12dca57 100644
## Execute chkpwd programs in the chkpwd domain.
##
##
-@@ -448,6 +524,25 @@ interface(`auth_run_chk_passwd',`
+@@ -448,6 +525,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -27513,7 +27537,7 @@ index 3efd5b6..12dca57 100644
')
########################################
-@@ -467,7 +562,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -467,7 +563,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@@ -27521,7 +27545,7 @@ index 3efd5b6..12dca57 100644
')
########################################
-@@ -664,6 +758,10 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +759,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -27532,7 +27556,7 @@ index 3efd5b6..12dca57 100644
')
#######################################
-@@ -763,7 +861,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +862,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -27584,7 +27608,7 @@ index 3efd5b6..12dca57 100644
')
#######################################
-@@ -824,9 +965,29 @@ interface(`auth_rw_lastlog',`
+@@ -824,9 +966,29 @@ interface(`auth_rw_lastlog',`
allow $1 lastlog_t:file { rw_file_perms lock setattr };
')
@@ -27615,7 +27639,7 @@ index 3efd5b6..12dca57 100644
##
##
##
-@@ -834,12 +995,27 @@ interface(`auth_rw_lastlog',`
+@@ -834,12 +996,27 @@ interface(`auth_rw_lastlog',`
##
##
#
@@ -27646,7 +27670,7 @@ index 3efd5b6..12dca57 100644
')
########################################
-@@ -854,15 +1030,15 @@ interface(`auth_domtrans_pam',`
+@@ -854,15 +1031,15 @@ interface(`auth_domtrans_pam',`
#
interface(`auth_signal_pam',`
gen_require(`
@@ -27665,7 +27689,7 @@ index 3efd5b6..12dca57 100644
##
##
##
-@@ -875,13 +1051,33 @@ interface(`auth_signal_pam',`
+@@ -875,13 +1052,33 @@ interface(`auth_signal_pam',`
##
##
#
@@ -27703,7 +27727,7 @@ index 3efd5b6..12dca57 100644
')
########################################
-@@ -959,9 +1155,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1156,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -27737,7 +27761,7 @@ index 3efd5b6..12dca57 100644
')
########################################
-@@ -1040,6 +1257,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1258,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -27748,7 +27772,7 @@ index 3efd5b6..12dca57 100644
')
########################################
-@@ -1176,6 +1397,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1176,6 +1398,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -27756,7 +27780,7 @@ index 3efd5b6..12dca57 100644
')
#######################################
-@@ -1576,6 +1798,25 @@ interface(`auth_setattr_login_records',`
+@@ -1576,6 +1799,25 @@ interface(`auth_setattr_login_records',`
########################################
##
@@ -27782,7 +27806,7 @@ index 3efd5b6..12dca57 100644
## Read login records files (/var/log/wtmp).
##
##
-@@ -1726,24 +1967,7 @@ interface(`auth_manage_login_records',`
+@@ -1726,24 +1968,7 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -27808,7 +27832,7 @@ index 3efd5b6..12dca57 100644
')
########################################
-@@ -1767,11 +1991,13 @@ interface(`auth_relabel_login_records',`
+@@ -1767,11 +1992,13 @@ interface(`auth_relabel_login_records',`
##
#
interface(`auth_use_nsswitch',`
@@ -27825,7 +27849,7 @@ index 3efd5b6..12dca57 100644
')
########################################
-@@ -1805,3 +2031,280 @@ interface(`auth_unconfined',`
+@@ -1805,3 +2032,280 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -42476,7 +42500,7 @@ index 0abaf84..8b34dbc 100644
-/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index 5ca20a9..e749152 100644
+index 5ca20a9..cf27c0a 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -12,53 +12,57 @@
@@ -42529,10 +42553,10 @@ index 5ca20a9..e749152 100644
+ systemd_config_all_services($1)
+
+ domain_mmap_low($1)
-+
-+ ubac_process_exempt($1)
- tunable_policy(`allow_execheap',`
++ ubac_process_exempt($1)
++
+ tunable_policy(`selinuxuser_execheap',`
# Allow making the stack executable via mprotect.
allow $1 self:process execheap;
@@ -42587,7 +42611,7 @@ index 5ca20a9..e749152 100644
')
########################################
-@@ -175,381 +185,12 @@ interface(`unconfined_alias_domain',`
+@@ -175,361 +185,12 @@ interface(`unconfined_alias_domain',`
##
#
interface(`unconfined_execmem_alias_program',`
@@ -42941,26 +42965,32 @@ index 5ca20a9..e749152 100644
- ')
-
- allow $1 unconfined_t:key create;
--')
--
--########################################
--##
++ refpolicywarn(`$0() has been deprecated.')
+ ')
+
+ ########################################
+ ##
-## Send messages to the unconfined domain over dbus.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
++## Connect to unconfined_server with a unix socket.
+ ##
+ ##
+ ##
+@@ -537,19 +198,19 @@ interface(`unconfined_create_keys',`
+ ##
+ ##
+ #
-interface(`unconfined_dbus_send',`
-- gen_require(`
++interface(`unconfined_server_stream_connect',`
+ gen_require(`
- type unconfined_t;
- class dbus send_msg;
-- ')
--
++ type unconfined_service_t;
+ ')
+
- allow $1 unconfined_t:dbus send_msg;
-+ refpolicywarn(`$0() has been deprecated.')
++ files_search_pids($1)
++ files_write_generic_pid_pipes($1)
++ allow $1 unconfined_service_t:unix_stream_socket { getattr connectto };
')
########################################
@@ -42971,12 +43001,12 @@ index 5ca20a9..e749152 100644
##
##
##
-@@ -557,20 +198,19 @@ interface(`unconfined_dbus_send',`
+@@ -557,20 +218,17 @@ interface(`unconfined_dbus_send',`
##
##
#
-interface(`unconfined_dbus_chat',`
-+interface(`unconfined_server_stream_connect',`
++interface(`unconfined_server_domtrans',`
gen_require(`
- type unconfined_t;
- class dbus send_msg;
@@ -42985,25 +43015,23 @@ index 5ca20a9..e749152 100644
- allow $1 unconfined_t:dbus send_msg;
- allow unconfined_t $1:dbus send_msg;
-+ files_search_pids($1)
-+ files_write_generic_pid_pipes($1)
-+ allow $1 unconfined_service_t:unix_stream_socket { getattr connectto };
++ corecmd_bin_domtrans($1, unconfined_service_t)
')
########################################
##
-## Connect to the the unconfined DBUS
-## for service (acquire_svc).
-+## Connect to unconfined_server with a unix socket.
++## Allow caller domain to dbus chat unconfined_server.
##
##
##
-@@ -578,11 +218,10 @@ interface(`unconfined_dbus_chat',`
+@@ -578,11 +236,11 @@ interface(`unconfined_dbus_chat',`
##
##
#
-interface(`unconfined_dbus_connect',`
-+interface(`unconfined_server_domtrans',`
++interface(`unconfined_server_dbus_chat',`
gen_require(`
- type unconfined_t;
- class dbus acquire_svc;
@@ -43011,7 +43039,8 @@ index 5ca20a9..e749152 100644
')
- allow $1 unconfined_t:dbus acquire_svc;
-+ corecmd_bin_domtrans($1, unconfined_service_t)
++ allow $1 unconfined_service_t:dbus send_msg;
++ allow unconfined_service_t $1:dbus send_msg;
')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 5fe902d..a349d18 100644
@@ -43280,7 +43309,7 @@ index db75976..1ee08ec 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..0bed312 100644
+index 9dc60c6..2861886 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -45054,7 +45083,32 @@ index 9dc60c6..0bed312 100644
')
########################################
-@@ -1629,6 +2135,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1613,6 +2119,24 @@ interface(`userdom_manage_user_home_dirs',`
+
+ ########################################
+ ##
++## Create user home directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_dontaudit_manage_user_home_dirs',`
++ gen_require(`
++ type user_home_dir_t;
++ ')
++
++ dontaudit $1 user_home_dir_t:dir manage_dir_perms;
++')
++
++########################################
++##
+ ## Relabel to user home directories.
+ ##
+ ##
+@@ -1629,6 +2153,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -45097,7 +45151,7 @@ index 9dc60c6..0bed312 100644
########################################
##
## Create directories in the home dir root with
-@@ -1708,6 +2250,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1708,6 +2268,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -45106,7 +45160,7 @@ index 9dc60c6..0bed312 100644
')
########################################
-@@ -1741,10 +2285,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2303,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -45121,7 +45175,7 @@ index 9dc60c6..0bed312 100644
')
########################################
-@@ -1769,7 +2315,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2333,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
##
@@ -45130,7 +45184,7 @@ index 9dc60c6..0bed312 100644
##
##
##
-@@ -1777,19 +2323,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1777,19 +2341,17 @@ interface(`userdom_manage_user_home_content_dirs',`
##
##
#
@@ -45154,7 +45208,7 @@ index 9dc60c6..0bed312 100644
##
##
##
-@@ -1797,55 +2341,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1797,55 +2359,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
##
##
#
@@ -45225,7 +45279,7 @@ index 9dc60c6..0bed312 100644
##
##
##
-@@ -1853,18 +2397,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1853,18 +2415,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
##
##
#
@@ -45253,7 +45307,7 @@ index 9dc60c6..0bed312 100644
##
##
##
-@@ -1872,55 +2417,55 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1872,45 +2435,182 @@ interface(`userdom_mmap_user_home_content_files',`
##
##
#
@@ -45311,59 +45365,48 @@ index 9dc60c6..0bed312 100644
#
-interface(`userdom_dontaudit_append_user_home_content_files',`
+interface(`userdom_relabel_user_tmp_dirs',`
- gen_require(`
-- type user_home_t;
++ gen_require(`
+ type user_tmp_t;
- ')
-
-- dontaudit $1 user_home_t:file append_file_perms;
++ ')
++
+ allow $1 user_tmp_t:dir relabel_dir_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to write user home files.
++')
++
++########################################
++##
+## Do not audit attempts to set the
+## attributes of user home files.
- ##
- ##
- ##
-@@ -1928,32 +2473,149 @@ interface(`userdom_dontaudit_append_user_home_content_files',`
- ##
- ##
- #
--interface(`userdom_dontaudit_write_user_home_content_files',`
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
+interface(`userdom_dontaudit_setattr_user_home_content_files',`
- gen_require(`
- type user_home_t;
- ')
-
-- dontaudit $1 user_home_t:file write_file_perms;
++ gen_require(`
++ type user_home_t;
++ ')
++
+ dontaudit $1 user_home_t:file setattr_file_perms;
- ')
-
- ########################################
- ##
--## Delete all user home content files.
++')
++
++########################################
++##
+## Set the attributes of all user home directories.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
- #
--interface(`userdom_delete_all_user_home_content_files',`
++#
+interface(`userdom_setattr_all_user_home_content_dirs',`
- gen_require(`
-- attribute user_home_content_type;
-- type user_home_dir_t;
++ gen_require(`
+ attribute user_home_type;
- ')
-
-- userdom_search_user_home_content($1)
-- delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
++ ')
++
+ allow $1 user_home_type:dir setattr_dir_perms;
+')
+
@@ -45460,51 +45503,45 @@ index 9dc60c6..0bed312 100644
+##
+#
+interface(`userdom_dontaudit_append_user_home_content_files',`
-+ gen_require(`
-+ type user_home_t;
-+ ')
-+
-+ dontaudit $1 user_home_t:file append_file_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to write user home files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_write_user_home_content_files',`
-+ gen_require(`
-+ type user_home_t;
-+ ')
-+
-+ dontaudit $1 user_home_t:file write_file_perms;
- ')
+ gen_require(`
+ type user_home_t;
+ ')
+@@ -1938,7 +2638,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
-@@ -1971,7 +2633,80 @@ interface(`userdom_delete_user_home_content_files',`
- type user_home_t;
+ ##
+-## Delete all user home content files.
++## Delete files in a user home subdirectory.
+ ##
+ ##
+ ##
+@@ -1946,10 +2646,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+ ##
+ ##
+ #
+-interface(`userdom_delete_all_user_home_content_files',`
++interface(`userdom_delete_user_home_content_files',`
+ gen_require(`
+- attribute user_home_content_type;
+- type user_home_dir_t;
++ type user_home_t;
')
-- allow $1 user_home_t:file delete_file_perms;
-+ userdom_search_user_home_content($1)
-+ delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
-+')
-+
-+########################################
-+##
+ userdom_search_user_home_content($1)
+@@ -1958,7 +2657,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+
+ ########################################
+ ##
+-## Delete files in a user home subdirectory.
+## Delete all files in a user home subdirectory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -1966,12 +2665,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+ ##
+ ##
+ #
+-interface(`userdom_delete_user_home_content_files',`
+interface(`userdom_delete_all_user_home_content_files',`
+ gen_require(`
+ attribute user_home_type;
@@ -45524,10 +45561,11 @@ index 9dc60c6..0bed312 100644
+##
+#
+interface(`userdom_delete_user_home_content_sock_files',`
-+ gen_require(`
-+ type user_home_t;
-+ ')
-+
+ gen_require(`
+ type user_home_t;
+ ')
+
+- allow $1 user_home_t:file delete_file_perms;
+ allow $1 user_home_t:sock_file delete_file_perms;
+')
+
@@ -45568,7 +45606,7 @@ index 9dc60c6..0bed312 100644
')
########################################
-@@ -2007,8 +2742,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2760,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -45578,7 +45616,7 @@ index 9dc60c6..0bed312 100644
')
########################################
-@@ -2024,20 +2758,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2776,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -45603,7 +45641,7 @@ index 9dc60c6..0bed312 100644
########################################
##
-@@ -2120,7 +2848,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2866,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
##
@@ -45612,7 +45650,7 @@ index 9dc60c6..0bed312 100644
##
##
##
-@@ -2128,19 +2856,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2874,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
##
##
#
@@ -45636,7 +45674,7 @@ index 9dc60c6..0bed312 100644
##
##
##
-@@ -2148,12 +2874,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2892,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
##
##
#
@@ -45652,7 +45690,7 @@ index 9dc60c6..0bed312 100644
')
########################################
-@@ -2388,18 +3114,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2388,18 +3132,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
##
##
#
@@ -45710,7 +45748,7 @@ index 9dc60c6..0bed312 100644
## Do not audit attempts to read users
## temporary files.
##
-@@ -2414,7 +3176,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3194,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -45719,7 +45757,7 @@ index 9dc60c6..0bed312 100644
')
########################################
-@@ -2455,6 +3217,25 @@ interface(`userdom_rw_user_tmp_files',`
+@@ -2455,6 +3235,25 @@ interface(`userdom_rw_user_tmp_files',`
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
@@ -45745,7 +45783,7 @@ index 9dc60c6..0bed312 100644
########################################
##
-@@ -2538,7 +3319,7 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,7 +3337,7 @@ interface(`userdom_manage_user_tmp_files',`
########################################
##
## Create, read, write, and delete user
@@ -45754,7 +45792,7 @@ index 9dc60c6..0bed312 100644
##
##
##
-@@ -2546,19 +3327,19 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2546,19 +3345,19 @@ interface(`userdom_manage_user_tmp_files',`
##
##
#
@@ -45777,7 +45815,7 @@ index 9dc60c6..0bed312 100644
##
##
##
-@@ -2566,19 +3347,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
+@@ -2566,19 +3365,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
##
##
#
@@ -45800,7 +45838,7 @@ index 9dc60c6..0bed312 100644
##
##
##
-@@ -2586,27 +3367,68 @@ interface(`userdom_manage_user_tmp_pipes',`
+@@ -2586,12 +3385,53 @@ interface(`userdom_manage_user_tmp_pipes',`
##
##
#
@@ -45812,24 +45850,20 @@ index 9dc60c6..0bed312 100644
- manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
+ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
- files_search_tmp($1)
- ')
-
++ files_search_tmp($1)
++')
+
- ########################################
- ##
--## Create objects in a user temporary directory
--## with an automatic type transition to
--## a specified private type.
++
++########################################
++##
+## Create, read, write, and delete user
+## temporary named pipes.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
++##
++##
++##
++## Domain allowed access.
++##
++##
+#
+interface(`userdom_manage_user_tmp_pipes',`
+ gen_require(`
@@ -45857,25 +45891,10 @@ index 9dc60c6..0bed312 100644
+ ')
+
+ manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
-+ files_search_tmp($1)
-+')
-+
-+########################################
-+##
-+## Create objects in a user temporary directory
-+## with an automatic type transition to
-+## a specified private type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
- ##
- ## The type of the object to create.
- ##
-@@ -2661,6 +3483,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+ files_search_tmp($1)
+ ')
+
+@@ -2661,6 +3501,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -45897,7 +45916,7 @@ index 9dc60c6..0bed312 100644
########################################
##
## Read user tmpfs files.
-@@ -2672,18 +3509,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2672,18 +3527,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
##
#
interface(`userdom_read_user_tmpfs_files',`
@@ -45919,7 +45938,7 @@ index 9dc60c6..0bed312 100644
##
##
##
-@@ -2692,19 +3524,13 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3542,13 @@ interface(`userdom_read_user_tmpfs_files',`
##
#
interface(`userdom_rw_user_tmpfs_files',`
@@ -45942,7 +45961,7 @@ index 9dc60c6..0bed312 100644
##
##
##
-@@ -2713,13 +3539,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2713,13 +3557,56 @@ interface(`userdom_rw_user_tmpfs_files',`
##
#
interface(`userdom_manage_user_tmpfs_files',`
@@ -46003,7 +46022,7 @@ index 9dc60c6..0bed312 100644
')
########################################
-@@ -2814,6 +3683,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3701,24 @@ interface(`userdom_use_user_ttys',`
########################################
##
@@ -46028,7 +46047,7 @@ index 9dc60c6..0bed312 100644
## Read and write a user domain pty.
##
##
-@@ -2832,22 +3719,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3737,34 @@ interface(`userdom_use_user_ptys',`
########################################
##
@@ -46071,7 +46090,7 @@ index 9dc60c6..0bed312 100644
##
##
##
-@@ -2856,14 +3755,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3773,33 @@ interface(`userdom_use_user_ptys',`
##
##
#
@@ -46109,7 +46128,7 @@ index 9dc60c6..0bed312 100644
')
########################################
-@@ -2882,8 +3800,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3818,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -46139,7 +46158,7 @@ index 9dc60c6..0bed312 100644
')
########################################
-@@ -2955,69 +3892,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,69 +3910,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -46240,7 +46259,7 @@ index 9dc60c6..0bed312 100644
##
##
##
-@@ -3025,12 +3961,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,12 +3979,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
##
##
#
@@ -46255,7 +46274,7 @@ index 9dc60c6..0bed312 100644
')
########################################
-@@ -3094,7 +4030,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4048,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -46264,7 +46283,7 @@ index 9dc60c6..0bed312 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3110,29 +4046,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4064,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -46298,7 +46317,7 @@ index 9dc60c6..0bed312 100644
')
########################################
-@@ -3214,7 +4134,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4152,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -46325,7 +46344,7 @@ index 9dc60c6..0bed312 100644
')
########################################
-@@ -3269,12 +4207,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4225,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -46341,7 +46360,7 @@ index 9dc60c6..0bed312 100644
##
##
##
-@@ -3282,46 +4221,122 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,49 +4239,125 @@ interface(`userdom_write_user_tmp_files',`
##
##
#
@@ -46399,8 +46418,9 @@ index 9dc60c6..0bed312 100644
gen_require(`
- attribute userdomain;
+ type user_tmp_t;
-+ ')
-+
+ ')
+
+- allow $1 userdomain:process getattr;
+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
@@ -46474,10 +46494,13 @@ index 9dc60c6..0bed312 100644
+interface(`userdom_getattr_all_users',`
+ gen_require(`
+ attribute userdomain;
- ')
++ ')
++
++ allow $1 userdomain:process getattr;
+ ')
- allow $1 userdomain:process getattr;
-@@ -3382,6 +4397,42 @@ interface(`userdom_signal_all_users',`
+ ########################################
+@@ -3382,6 +4415,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -46520,7 +46543,7 @@ index 9dc60c6..0bed312 100644
########################################
##
## Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4453,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4471,60 @@ interface(`userdom_sigchld_all_users',`
########################################
##
@@ -46581,7 +46604,7 @@ index 9dc60c6..0bed312 100644
## Create keys for all user domains.
##
##
-@@ -3435,4 +4540,1686 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4558,1686 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 7d8b345..9cc8bac 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -9707,7 +9707,7 @@ index c723a0a..3e8a553 100644
+ allow $1 bluetooth_unit_file_t:service all_service_perms;
')
diff --git a/bluetooth.te b/bluetooth.te
-index 851769e..055c97c 100644
+index 851769e..a069dc3 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t)
@@ -9757,7 +9757,13 @@ index 851769e..055c97c 100644
dev_read_sysfs(bluetooth_t)
dev_rw_usbfs(bluetooth_t)
-@@ -110,7 +124,6 @@ domain_use_interactive_fds(bluetooth_t)
+@@ -105,12 +119,12 @@ dev_rw_generic_usb_dev(bluetooth_t)
+ dev_read_urand(bluetooth_t)
+ dev_rw_input_dev(bluetooth_t)
+ dev_rw_wireless(bluetooth_t)
++dev_rw_uhid_dev(bluetooth_t)
+
+ domain_use_interactive_fds(bluetooth_t)
domain_dontaudit_search_all_domains_state(bluetooth_t)
files_read_etc_runtime_files(bluetooth_t)
@@ -9765,7 +9771,7 @@ index 851769e..055c97c 100644
fs_getattr_all_fs(bluetooth_t)
fs_search_auto_mountpoints(bluetooth_t)
-@@ -122,7 +135,6 @@ auth_use_nsswitch(bluetooth_t)
+@@ -122,7 +136,6 @@ auth_use_nsswitch(bluetooth_t)
logging_send_syslog_msg(bluetooth_t)
@@ -9773,7 +9779,7 @@ index 851769e..055c97c 100644
miscfiles_read_fonts(bluetooth_t)
miscfiles_read_hwdata(bluetooth_t)
-@@ -130,6 +142,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
+@@ -130,6 +143,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
userdom_dontaudit_use_user_terminals(bluetooth_t)
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
@@ -9784,7 +9790,7 @@ index 851769e..055c97c 100644
optional_policy(`
dbus_system_bus_client(bluetooth_t)
dbus_connect_system_bus(bluetooth_t)
-@@ -200,7 +216,6 @@ dev_read_urand(bluetooth_helper_t)
+@@ -200,7 +217,6 @@ dev_read_urand(bluetooth_helper_t)
domain_read_all_domains_state(bluetooth_helper_t)
files_read_etc_runtime_files(bluetooth_helper_t)
@@ -10317,15 +10323,23 @@ index 687d4c4..3c5a83a 100644
+ unconfined_domain(boinc_project_t)
+')
diff --git a/brctl.te b/brctl.te
-index c5a9113..6ad8ccb 100644
+index c5a9113..1919abd 100644
--- a/brctl.te
+++ b/brctl.te
-@@ -34,12 +34,9 @@ dev_write_sysfs_dirs(brctl_t)
+@@ -24,6 +24,7 @@ allow brctl_t self:unix_dgram_socket create_socket_perms;
+ allow brctl_t self:tcp_socket create_socket_perms;
+
+ kernel_request_load_module(brctl_t)
++kernel_read_system_state(brctl_t)
+ kernel_read_network_state(brctl_t)
+ kernel_read_sysctl(brctl_t)
+
+@@ -34,12 +35,8 @@ dev_write_sysfs_dirs(brctl_t)
domain_use_interactive_fds(brctl_t)
-files_read_etc_files(brctl_t)
-
+-
term_dontaudit_use_console(brctl_t)
-miscfiles_read_localization(brctl_t)
@@ -12488,7 +12502,7 @@ index 32e8265..0de4af3 100644
+ allow $1 chronyd_unit_file_t:service all_service_perms;
')
diff --git a/chronyd.te b/chronyd.te
-index e5b621c..e7c249d 100644
+index e5b621c..f975594 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@@ -12519,7 +12533,7 @@ index e5b621c..e7c249d 100644
allow chronyd_t chronyd_keys_t:file read_file_perms;
manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
-@@ -76,18 +83,20 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
+@@ -76,18 +83,24 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
corenet_udp_bind_chronyd_port(chronyd_t)
corenet_udp_sendrecv_chronyd_port(chronyd_t)
@@ -12541,10 +12555,11 @@ index e5b621c..e7c249d 100644
optional_policy(`
gpsd_rw_shm(chronyd_t)
')
--
--optional_policy(`
+
+ optional_policy(`
- mta_send_mail(chronyd_t)
--')
++ timemaster_stream_connect(chronyd_t)
+ ')
diff --git a/cinder.fc b/cinder.fc
new file mode 100644
index 0000000..4b318b7
@@ -15514,7 +15529,7 @@ index 0000000..54b4b04
+')
diff --git a/conman.te b/conman.te
new file mode 100644
-index 0000000..ccff09f
+index 0000000..4772f64
--- /dev/null
+++ b/conman.te
@@ -0,0 +1,55 @@
@@ -15557,7 +15572,7 @@ index 0000000..ccff09f
+manage_files_pattern(conman_t, conman_var_run_t, conman_var_run_t)
+files_pid_filetrans(conman_t, conman_var_run_t, file)
+
-+auth_read_passwd(conman_t)
++auth_use_nsswitch(conman_t)
+
+corenet_tcp_bind_generic_node(conman_t)
+corenet_tcp_bind_conman_port(conman_t)
@@ -20732,7 +20747,7 @@ index dda905b..ccd0ba9 100644
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
-index 62d22cb..e1b35aa 100644
+index 62d22cb..f8ab4af 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
@@ -20858,7 +20873,7 @@ index 62d22cb..e1b35aa 100644
##
##
##
-@@ -103,91 +129,84 @@ template(`dbus_role_template',`
+@@ -103,91 +129,88 @@ template(`dbus_role_template',`
#
interface(`dbus_system_bus_client',`
gen_require(`
@@ -20888,6 +20903,10 @@ index 62d22cb..e1b35aa 100644
stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
-
dbus_read_config($1)
++
++ optional_policy(`
++ unconfined_server_dbus_chat($1)
++ ')
')
#######################################
@@ -20984,7 +21003,7 @@ index 62d22cb..e1b35aa 100644
##
##
##
-@@ -195,15 +214,18 @@ interface(`dbus_connect_spec_session_bus',`
+@@ -195,15 +218,18 @@ interface(`dbus_connect_spec_session_bus',`
##
##
#
@@ -21009,7 +21028,7 @@ index 62d22cb..e1b35aa 100644
##
##
##
-@@ -211,57 +233,39 @@ interface(`dbus_session_bus_client',`
+@@ -211,57 +237,39 @@ interface(`dbus_session_bus_client',`
##
##
#
@@ -21081,7 +21100,7 @@ index 62d22cb..e1b35aa 100644
##
##
##
-@@ -269,15 +273,19 @@ interface(`dbus_spec_session_bus_client',`
+@@ -269,15 +277,19 @@ interface(`dbus_spec_session_bus_client',`
##
##
#
@@ -21107,7 +21126,7 @@ index 62d22cb..e1b35aa 100644
##
##
##
-@@ -285,44 +293,52 @@ interface(`dbus_send_session_bus',`
+@@ -285,44 +297,52 @@ interface(`dbus_send_session_bus',`
##
##
#
@@ -21174,7 +21193,7 @@ index 62d22cb..e1b35aa 100644
##
##
##
-@@ -330,18 +346,18 @@ interface(`dbus_send_spec_session_bus',`
+@@ -330,18 +350,18 @@ interface(`dbus_send_spec_session_bus',`
##
##
#
@@ -21198,7 +21217,7 @@ index 62d22cb..e1b35aa 100644
##
##
##
-@@ -349,20 +365,18 @@ interface(`dbus_read_config',`
+@@ -349,20 +369,18 @@ interface(`dbus_read_config',`
##
##
#
@@ -21224,7 +21243,7 @@ index 62d22cb..e1b35aa 100644
##
##
##
-@@ -370,26 +384,20 @@ interface(`dbus_read_lib_files',`
+@@ -370,26 +388,20 @@ interface(`dbus_read_lib_files',`
##
##
#
@@ -21257,7 +21276,7 @@ index 62d22cb..e1b35aa 100644
##
##
## Type to be used as a domain.
-@@ -397,81 +405,67 @@ interface(`dbus_manage_lib_files',`
+@@ -397,81 +409,67 @@ interface(`dbus_manage_lib_files',`
##
##
##
@@ -21367,7 +21386,7 @@ index 62d22cb..e1b35aa 100644
##
##
##
-@@ -479,18 +473,18 @@ interface(`dbus_spec_session_domain',`
+@@ -479,18 +477,18 @@ interface(`dbus_spec_session_domain',`
##
##
#
@@ -21391,7 +21410,7 @@ index 62d22cb..e1b35aa 100644
##
##
##
-@@ -498,98 +492,100 @@ interface(`dbus_connect_system_bus',`
+@@ -498,98 +496,100 @@ interface(`dbus_connect_system_bus',`
##
##
#
@@ -21535,7 +21554,7 @@ index 62d22cb..e1b35aa 100644
##
##
##
-@@ -597,28 +593,50 @@ interface(`dbus_use_system_bus_fds',`
+@@ -597,28 +597,50 @@ interface(`dbus_use_system_bus_fds',`
##
##
#
@@ -26210,7 +26229,7 @@ index 9a21639..26c5986 100644
')
+
diff --git a/drbd.te b/drbd.te
-index f2516cc..6f78534 100644
+index f2516cc..70ddc24 100644
--- a/drbd.te
+++ b/drbd.te
@@ -18,17 +18,20 @@ files_type(drbd_var_lib_t)
@@ -26247,7 +26266,7 @@ index f2516cc..6f78534 100644
kernel_read_system_state(drbd_t)
-+auth_read_passwd(drbd_t)
++auth_use_nsswitch(drbd_t)
+
+can_exec(drbd_t, drbd_exec_t)
+
@@ -35169,10 +35188,10 @@ index 6517fad..b7ca833 100644
+ allow $1 hypervkvp_unit_file_t:service all_service_perms;
')
diff --git a/hypervkvp.te b/hypervkvp.te
-index 4eb7041..6f859e1 100644
+index 4eb7041..ccb563e 100644
--- a/hypervkvp.te
+++ b/hypervkvp.te
-@@ -5,24 +5,72 @@ policy_module(hypervkvp, 1.0.0)
+@@ -5,24 +5,81 @@ policy_module(hypervkvp, 1.0.0)
# Declarations
#
@@ -35207,7 +35226,7 @@ index 4eb7041..6f859e1 100644
#
-# Local policy
+# hyperv domain local policy
- #
++#
+
+allow hyperv_domain self:capability net_admin;
+allow hyperv_domain self:netlink_socket create_socket_perms;
@@ -35223,23 +35242,32 @@ index 4eb7041..6f859e1 100644
+########################################
#
+# hypervkvp local policy
-+#
-+
+ #
+
+-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
+-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
+manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir)
+
++domain_read_all_domains_state(hypervkvp_t)
++
+files_dontaudit_search_home(hypervkvp_t)
+
+logging_send_syslog_msg(hypervkvp_t)
+
+sysnet_dns_name_resolve(hypervkvp_t)
-
--allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
--allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
++sysnet_domtrans_dhcpc(hypervkvp_t)
++
++systemd_exec_systemctl(hypervkvp_t)
++
+userdom_dontaudit_search_admin_dir(hypervkvp_t)
+
+optional_policy(`
++ netutils_domtrans_ping(hypervkvp_t)
++')
++
++optional_policy(`
+ sysnet_exec_ifconfig(hypervkvp_t)
+')
+
@@ -35414,7 +35442,7 @@ index fbb54e7..05c3777 100644
########################################
diff --git a/inetd.te b/inetd.te
-index c6450df..93445b7 100644
+index c6450df..a28aa13 100644
--- a/inetd.te
+++ b/inetd.te
@@ -37,9 +37,9 @@ ifdef(`enable_mcs',`
@@ -35487,7 +35515,7 @@ index c6450df..93445b7 100644
########################################
#
# Child local policy
-@@ -220,6 +223,14 @@ kernel_read_kernel_sysctls(inetd_child_t)
+@@ -220,6 +223,16 @@ kernel_read_kernel_sysctls(inetd_child_t)
kernel_read_network_state(inetd_child_t)
kernel_read_system_state(inetd_child_t)
@@ -35499,10 +35527,12 @@ index c6450df..93445b7 100644
+corenet_tcp_sendrecv_all_ports(inetd_child_t)
+corenet_udp_sendrecv_all_ports(inetd_child_t)
+
++corecmd_bin_entry_type(inetd_child_t)
++
dev_read_urand(inetd_child_t)
fs_getattr_xattr_fs(inetd_child_t)
-@@ -230,7 +241,11 @@ auth_use_nsswitch(inetd_child_t)
+@@ -230,7 +243,11 @@ auth_use_nsswitch(inetd_child_t)
logging_send_syslog_msg(inetd_child_t)
@@ -41863,6 +41893,238 @@ index d8c2442..ef30d42 100644
corenet_sendrecv_generic_server_packets(srvsvcd_t)
corenet_tcp_sendrecv_generic_if(srvsvcd_t)
corenet_tcp_sendrecv_generic_node(srvsvcd_t)
+diff --git a/linuxptp.fc b/linuxptp.fc
+new file mode 100644
+index 0000000..d2061a9
+--- /dev/null
++++ b/linuxptp.fc
+@@ -0,0 +1,11 @@
++/usr/lib/systemd/system/phc2sys.* -- gen_context(system_u:object_r:phc2sys_unit_file_t,s0)
++
++/usr/lib/systemd/system/ptp4l.* -- gen_context(system_u:object_r:ptp4l_unit_file_t,s0)
++
++/usr/lib/systemd/system/timemaster.* -- gen_context(system_u:object_r:timemaster_unit_file_t,s0)
++
++/usr/sbin/ptp4l -- gen_context(system_u:object_r:ptp4l_exec_t,s0)
++/usr/sbin/phc2sys -- gen_context(system_u:object_r:phc2sys_exec_t,s0)
++/usr/sbin/timemaster -- gen_context(system_u:object_r:timemaster_exec_t,s0)
++
++/var/run/timemaster(/.*)? gen_context(system_u:object_r:timemaster_var_run_t,s0)
+diff --git a/linuxptp.if b/linuxptp.if
+new file mode 100644
+index 0000000..8d6873f
+--- /dev/null
++++ b/linuxptp.if
+@@ -0,0 +1,59 @@
++## implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux.
++
++########################################
++##
++## Execute domain in the phc2sys domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`linuxptp_domtrans_phc2sys',`
++ gen_require(`
++ type phc2sys_t, phc2sys_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, phc2sys_exec_t, phc2sys_t)
++')
++
++########################################
++##
++## Execute domain in the phc2sys domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`linuxptp_domtrans_ptp4l',`
++ gen_require(`
++ type ptp4l_t, ptp4l_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, ptp4l_exec_t, ptp4l_t)
++')
++######################################
++##
++## Connect to timemaster using a unix
++## domain stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`timemaster_stream_connect',`
++ gen_require(`
++ type timemaster_t, timemaster_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, timemaster_var_run_t, timemaster_var_run_t, timemaster_t)
++')
++
+diff --git a/linuxptp.te b/linuxptp.te
+new file mode 100644
+index 0000000..5a1445c
+--- /dev/null
++++ b/linuxptp.te
+@@ -0,0 +1,144 @@
++policy_module(linuxptp, 1.0.0)
++
++
++########################################
++#
++# Declarations
++#
++
++type timemaster_t;
++type timemaster_exec_t;
++init_daemon_domain(timemaster_t, timemaster_exec_t)
++
++type timemaster_var_run_t;
++files_pid_file(timemaster_var_run_t)
++
++type timemaster_unit_file_t;
++systemd_unit_file(timemaster_unit_file_t)
++
++type phc2sys_t;
++type phc2sys_exec_t;
++init_daemon_domain(phc2sys_t, phc2sys_exec_t)
++
++type phc2sys_unit_file_t;
++systemd_unit_file(phc2sys_unit_file_t)
++
++type ptp4l_t;
++type ptp4l_exec_t;
++init_daemon_domain(ptp4l_t, ptp4l_exec_t)
++
++type ptp4l_unit_file_t;
++systemd_unit_file(ptp4l_unit_file_t)
++
++########################################
++#
++# timemaster local policy
++#
++
++allow timemaster_t self:process { signal_perms setcap};
++allow timemaster_t self:fifo_file rw_fifo_file_perms;
++allow timemaster_t self:capability { setuid sys_time kill setgid };
++allow timemaster_t self:unix_stream_socket create_stream_socket_perms;
++allow timemaster_t self:shm create_shm_perms;
++allow timemaster_t self:udp_socket create_socket_perms;
++
++allow timemaster_t ptp4l_t:process signal;
++allow timemaster_t phc2sys_t:process signal;
++
++manage_dirs_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
++manage_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
++manage_sock_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
++files_pid_filetrans(timemaster_t, timemaster_var_run_t, { dir file sock_file })
++
++kernel_read_network_state(timemaster_t)
++
++auth_use_nsswitch(timemaster_t)
++
++corenet_udp_bind_generic_node(timemaster_t)
++corenet_udp_bind_ntp_port(timemaster_t)
++
++logging_send_syslog_msg(timemaster_t)
++
++sysnet_read_config(timemaster_t)
++
++optional_policy(`
++ chronyd_domtrans(timemaster_t)
++ chronyd_rw_shm(timemaster_t)
++')
++
++optional_policy(`
++ gpsd_rw_shm(timemaster_t)
++')
++
++optional_policy(`
++ linuxptp_domtrans_ptp4l(timemaster_t)
++')
++
++optional_policy(`
++ linuxptp_domtrans_phc2sys(timemaster_t)
++')
++
++########################################
++#
++# phc2sys local policy
++#
++
++allow phc2sys_t self:capability sys_time;
++allow phc2sys_t self:fifo_file rw_fifo_file_perms;
++allow phc2sys_t self:unix_stream_socket create_stream_socket_perms;
++allow phc2sys_t self:shm create_shm_perms;
++allow phc2sys_t self:udp_socket create_socket_perms;
++
++allow phc2sys_t ptp4l_t:unix_dgram_socket sendto;
++
++manage_dirs_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
++manage_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
++manage_sock_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
++files_pid_filetrans(phc2sys_t, timemaster_var_run_t, { dir file sock_file })
++
++logging_send_syslog_msg(phc2sys_t)
++
++optional_policy(`
++ chronyd_rw_shm(phc2sys_t)
++')
++
++optional_policy(`
++ gpsd_rw_shm(phc2sys_t)
++')
++
++optional_policy(`
++ ntp_rw_shm(phc2sys_t)
++')
++
++########################################
++#
++# ptp4l local policy
++#
++
++allow ptp4l_t self:fifo_file rw_fifo_file_perms;
++allow ptp4l_t self:unix_stream_socket create_stream_socket_perms;
++allow ptp4l_t self:shm create_shm_perms;
++allow ptp4l_t self:udp_socket create_socket_perms;
++allow ptp4l_t self:capability { net_admin net_raw sys_time };
++allow ptp4l_t self:netlink_route_socket { bind create getattr nlmsg_read };
++
++allow ptp4l_t phc2sys_t:unix_dgram_socket sendto;
++
++manage_dirs_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
++manage_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
++manage_sock_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
++files_pid_filetrans(ptp4l_t, timemaster_var_run_t, { dir file sock_file })
++
++corenet_udp_bind_generic_node(ptp4l_t)
++corenet_udp_bind_reserved_port(ptp4l_t)
++
++logging_send_syslog_msg(ptp4l_t)
++
++optional_policy(`
++ chronyd_rw_shm(ptp4l_t)
++')
++
++optional_policy(`
++ gpsd_rw_shm(ptp4l_t)
++')
++
diff --git a/lircd.if b/lircd.if
index dff21a7..b6981c8 100644
--- a/lircd.if
@@ -58029,18 +58291,20 @@ index 8ec7859..719cffd 100644
fs_getattr_all_fs(ntop_t)
fs_search_auto_mountpoints(ntop_t)
diff --git a/ntp.fc b/ntp.fc
-index af3c91e..6882a3f 100644
+index af3c91e..2d41c4c 100644
--- a/ntp.fc
+++ b/ntp.fc
-@@ -13,6 +13,8 @@
+@@ -13,7 +13,10 @@
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
+
/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
++/var/lib/sntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+ /var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
diff --git a/ntp.if b/ntp.if
index e96a309..2bacc3f 100644
--- a/ntp.if
@@ -58242,7 +58506,7 @@ index e96a309..2bacc3f 100644
+ files_var_lib_filetrans($1, ntp_drift_t, file, "sntp-kod")
')
diff --git a/ntp.te b/ntp.te
-index f81b113..5c71385 100644
+index f81b113..6f94328 100644
--- a/ntp.te
+++ b/ntp.te
@@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t;
@@ -58255,15 +58519,16 @@ index f81b113..5c71385 100644
type ntp_conf_t;
files_config_file(ntp_conf_t)
-@@ -53,6 +56,7 @@ allow ntpd_t self:tcp_socket { accept listen };
+@@ -53,6 +56,8 @@ allow ntpd_t self:tcp_socket { accept listen };
manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
++files_var_lib_filetrans(ntpd_t, ntp_drift_t, dir, "sntp")
+files_var_lib_filetrans(ntpd_t, ntp_drift_t, dir, "sntp-kod")
allow ntpd_t ntp_conf_t:file read_file_perms;
-@@ -60,9 +64,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
+@@ -60,9 +65,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
@@ -58274,7 +58539,7 @@ index f81b113..5c71385 100644
logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
-@@ -83,21 +85,16 @@ kernel_read_system_state(ntpd_t)
+@@ -83,21 +86,16 @@ kernel_read_system_state(ntpd_t)
kernel_read_network_state(ntpd_t)
kernel_request_load_module(ntpd_t)
@@ -58298,7 +58563,7 @@ index f81b113..5c71385 100644
corecmd_exec_bin(ntpd_t)
corecmd_exec_shell(ntpd_t)
-@@ -110,13 +107,15 @@ domain_use_interactive_fds(ntpd_t)
+@@ -110,13 +108,15 @@ domain_use_interactive_fds(ntpd_t)
domain_dontaudit_list_all_domains_state(ntpd_t)
files_read_etc_runtime_files(ntpd_t)
@@ -58315,7 +58580,7 @@ index f81b113..5c71385 100644
auth_use_nsswitch(ntpd_t)
-@@ -124,8 +123,6 @@ init_exec_script_files(ntpd_t)
+@@ -124,8 +124,6 @@ init_exec_script_files(ntpd_t)
logging_send_syslog_msg(ntpd_t)
@@ -61437,7 +61702,7 @@ index 0000000..776fda7
+')
diff --git a/opensm.te b/opensm.te
new file mode 100644
-index 0000000..32d1db4
+index 0000000..de03e94
--- /dev/null
+++ b/opensm.te
@@ -0,0 +1,45 @@
@@ -61478,7 +61743,7 @@ index 0000000..32d1db4
+
+kernel_read_system_state(opensm_t)
+
-+auth_read_passwd(opensm_t)
++auth_use_nsswitch(opensm_t)
+
+corecmd_exec_bin(opensm_t)
+
@@ -66394,7 +66659,7 @@ index 30e751f..61feb3a 100644
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/plymouthd.te b/plymouthd.te
-index 3078ce9..d2f68fa 100644
+index 3078ce9..18872dc 100644
--- a/plymouthd.te
+++ b/plymouthd.te
@@ -15,7 +15,7 @@ type plymouthd_exec_t;
@@ -66451,7 +66716,7 @@ index 3078ce9..d2f68fa 100644
+logging_link_generic_logs(plymouthd_t)
+logging_delete_generic_logs(plymouthd_t)
+
-+auth_read_passwd(plymouthd_t)
++auth_use_nsswitch(plymouthd_t)
+
miscfiles_read_fonts(plymouthd_t)
miscfiles_manage_fonts_cache(plymouthd_t)
@@ -66836,7 +67101,7 @@ index 032a84d..be00a65 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policykit.te b/policykit.te
-index ee91778..6df7cf0 100644
+index ee91778..b00a474 100644
--- a/policykit.te
+++ b/policykit.te
@@ -7,9 +7,6 @@ policy_module(policykit, 1.3.0)
@@ -67002,7 +67267,7 @@ index ee91778..6df7cf0 100644
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
-@@ -145,65 +159,79 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+@@ -145,65 +159,80 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
@@ -67032,6 +67297,7 @@ index ee91778..6df7cf0 100644
userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
+userdom_dontaudit_write_user_tmp_files(policykit_auth_t)
++userdom_dontaudit_manage_user_home_dirs(policykit_auth_t)
+userdom_read_admin_home_files(policykit_auth_t)
optional_policy(`
@@ -67094,7 +67360,7 @@ index ee91778..6df7cf0 100644
rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t)
-@@ -211,23 +239,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
+@@ -211,23 +240,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
@@ -67121,7 +67387,7 @@ index ee91778..6df7cf0 100644
optional_policy(`
consolekit_dbus_chat(policykit_grant_t)
')
-@@ -235,26 +260,28 @@ optional_policy(`
+@@ -235,26 +261,28 @@ optional_policy(`
########################################
#
@@ -67156,7 +67422,7 @@ index ee91778..6df7cf0 100644
userdom_read_all_users_state(policykit_resolve_t)
optional_policy(`
-@@ -266,6 +293,6 @@ optional_policy(`
+@@ -266,6 +294,6 @@ optional_policy(`
')
optional_policy(`
@@ -87926,7 +88192,7 @@ index 50d07fb..bada62f 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 2b7c441..9c52c41 100644
+index 2b7c441..fdfd40f 100644
--- a/samba.te
+++ b/samba.te
@@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
@@ -88840,13 +89106,13 @@ index 2b7c441..9c52c41 100644
-allow swat_t { nmbd_t smbd_t }:process { signal signull };
+samba_domtrans_smbd(swat_t)
+allow swat_t smbd_t:process { signal signull };
-
--allow swat_t smbd_var_run_t:file read_file_perms;
--allow swat_t smbd_var_run_t:file { lock delete_file_perms };
++
+samba_domtrans_nmbd(swat_t)
+allow swat_t nmbd_t:process { signal signull };
+allow nmbd_t swat_t:process signal;
-+
+
+-allow swat_t smbd_var_run_t:file read_file_perms;
+-allow swat_t smbd_var_run_t:file { lock delete_file_perms };
+read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t)
+stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+
@@ -89110,7 +89376,7 @@ index 2b7c441..9c52c41 100644
')
optional_policy(`
-@@ -959,31 +1017,29 @@ optional_policy(`
+@@ -959,31 +1017,35 @@ optional_policy(`
# Winbind helper local policy
#
@@ -89132,11 +89398,16 @@ index 2b7c441..9c52c41 100644
-domain_use_interactive_fds(winbind_helper_t)
-
-files_list_var_lib(winbind_helper_t)
--
++dev_read_urand(winbind_t)
+
term_list_ptys(winbind_helper_t)
++corecmd_exec_bin(winbind_helper_t)
++
+domain_use_interactive_fds(winbind_helper_t)
+
++files_list_tmp(winbind_helper_t)
++
auth_use_nsswitch(winbind_helper_t)
logging_send_syslog_msg(winbind_helper_t)
@@ -89148,7 +89419,7 @@ index 2b7c441..9c52c41 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -997,25 +1053,38 @@ optional_policy(`
+@@ -997,25 +1059,38 @@ optional_policy(`
########################################
#
@@ -101545,7 +101816,7 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
-index 393a330..b500795 100644
+index 393a330..6893547 100644
--- a/tuned.te
+++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@@ -101623,22 +101894,22 @@ index 393a330..b500795 100644
files_dontaudit_search_home(tuned_t)
-files_dontaudit_list_tmp(tuned_t)
+files_list_tmp(tuned_t)
-
--fs_getattr_xattr_fs(tuned_t)
++
+fs_getattr_all_fs(tuned_t)
+fs_search_all(tuned_t)
+fs_rw_hugetlbfs_files(tuned_t)
-+
+
+-fs_getattr_xattr_fs(tuned_t)
+auth_use_nsswitch(tuned_t)
logging_send_syslog_msg(tuned_t)
+#bug in tuned
+logging_manage_syslog_config(tuned_t)
+logging_filetrans_named_conf(tuned_t)
-+
-+mount_read_pid_files(tuned_t)
-miscfiles_read_localization(tuned_t)
++mount_read_pid_files(tuned_t)
++
+modutils_domtrans_insmod(tuned_t)
udev_read_pid_files(tuned_t)
@@ -101675,6 +101946,14 @@ index 393a330..b500795 100644
optional_policy(`
sysnet_domtrans_ifconfig(tuned_t)
')
+@@ -96,3 +139,7 @@ optional_policy(`
+ optional_policy(`
+ unconfined_dbus_send(tuned_t)
+ ')
++
++optional_policy(`
++ unconfined_domain(tuned_t)
++')
diff --git a/tvtime.if b/tvtime.if
index 1bb0f7c..372be2f 100644
--- a/tvtime.if
@@ -105209,7 +105488,7 @@ index facdee8..c7a2d97 100644
+ typeattribute $1 sandbox_caps_domain;
')
diff --git a/virt.te b/virt.te
-index f03dcf5..f960625 100644
+index f03dcf5..f3d6203 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,241 @@
@@ -106214,7 +106493,7 @@ index f03dcf5..f960625 100644
+allow virt_domain self:process { setrlimit signal_perms getsched setsched };
+allow virt_domain self:fifo_file rw_fifo_file_perms;
+allow virt_domain self:shm create_shm_perms;
-+allow virt_domain self:unix_stream_socket create_stream_socket_perms;
++allow virt_domain self:unix_stream_socket { connectto create_stream_socket_perms };
+allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
+allow virt_domain self:tcp_socket create_stream_socket_perms;
+allow virt_domain self:udp_socket create_socket_perms;
@@ -112178,7 +112457,7 @@ index 0000000..fb0519e
+
diff --git a/zoneminder.te b/zoneminder.te
new file mode 100644
-index 0000000..b66e76d
+index 0000000..184e3d5
--- /dev/null
+++ b/zoneminder.te
@@ -0,0 +1,187 @@
@@ -112319,16 +112598,16 @@ index 0000000..b66e76d
+
+optional_policy(`
+ tunable_policy(`zoneminder_run_sudo',`
-+ dbus_system_bus_client(zoneminder_t)
++ sudo_exec(zoneminder_t)
++ su_exec(zoneminder_t)
+ ')
+')
+
+optional_policy(`
-+ tunable_policy(`zoneminder_run_sudo',`
-+ sudo_exec(zoneminder_t)
-+ su_exec(zoneminder_t)
-+ ')
++ dbus_system_bus_client(zoneminder_t)
+')
++
++
+optional_policy(`
+ mysql_stream_connect(zoneminder_t)
+')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6674776..86271b7 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 90%{?dist}
+Release: 91%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -604,6 +604,28 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Nov 07 2014 Lukas Vrabec 3.13.1-91
+- Added interface userdom_dontaudit_manage_user_home_dirs
+- Fix unconfined_server_dbus_chat() interface.
+- Add unconfined_server_dbus_chat() inteface.
+- Allow login domains to create kernel keyring with different level.
+- Dontaudit policykit_auth_t to write to user home dirs. BZ (1157256)
+- Make tuned as unconfined domain.
+- Added support for linuxptp policy. BZ(1149693)
+- make zoneminder as dbus client by default.
+- Allow bluetooth read/write uhid devices. BZ (1161169)
+- Add fixes for hypervkvp daemon
+- Allow guest to connect to libvirt using unix_stream_socket.
+- Allow all bus client domains to dbus chat with unconfined_service_t.
+- Allow inetd service without own policy to run in inetd_child_t which is unconfined domain.
+- Make opensm as nsswitch domain to make it working with sssd.
+- Allow brctl to read meminfo.
+- Allow winbind-helper to execute ntlm_auth in the caller domain.
+- Make plymouthd as nsswitch domain to make it working with sssd.
+- Make drbd as nsswitch domain to make it working with sssd.
+- Make conman as nsswitch domain to make ipmitool.exp runing as conman_t working.
+- Add support for /var/lib/sntp directory.
+
* Mon Nov 03 2014 Lukas Vrabec 3.13.1-90
- Add support for /dev/nvme controllerdevice nodes created by nvme driver.
- Add 15672 as amqp_port_t