diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index c3f3910..18479d6 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -10876,7 +10876,7 @@ index b876c48..03f9342 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..7c3c35b 100644
+index f962f76..9cb7e98 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -12776,19 +12776,20 @@ index f962f76..7c3c35b 100644
')
########################################
-@@ -4012,6 +4834,11 @@ interface(`files_read_kernel_modules',`
+@@ -4012,6 +4834,12 @@ interface(`files_read_kernel_modules',`
allow $1 modules_object_t:dir list_dir_perms;
read_files_pattern($1, modules_object_t, modules_object_t)
read_lnk_files_pattern($1, modules_object_t, modules_object_t)
-+
-+ # allow to read module deps because of labeling changed to modules_dep_t
++
++ # FIXME:
++ # needed for already labeled module deps by modules_dep_t
+ optional_policy(`
-+ modutils_read_module_deps($1)
++ modutils_read_module_deps_files($1)
+ ')
')
########################################
-@@ -4217,6 +5044,175 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,6 +5045,175 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -12964,7 +12965,7 @@ index f962f76..7c3c35b 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -4239,6 +5235,26 @@ interface(`files_associate_tmp',`
+@@ -4239,6 +5236,26 @@ interface(`files_associate_tmp',`
########################################
## <summary>
@@ -12991,7 +12992,7 @@ index f962f76..7c3c35b 100644
## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4252,17 +5268,37 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4252,17 +5269,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -13030,7 +13031,7 @@ index f962f76..7c3c35b 100644
## </summary>
## </param>
#
-@@ -4289,6 +5325,8 @@ interface(`files_search_tmp',`
+@@ -4289,6 +5326,8 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -13039,7 +13040,7 @@ index f962f76..7c3c35b 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4325,6 +5363,7 @@ interface(`files_list_tmp',`
+@@ -4325,6 +5364,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -13047,7 +13048,7 @@ index f962f76..7c3c35b 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4334,7 +5373,7 @@ interface(`files_list_tmp',`
+@@ -4334,7 +5374,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -13056,7 +13057,7 @@ index f962f76..7c3c35b 100644
## </summary>
## </param>
#
-@@ -4346,21 +5385,41 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4346,14 +5386,33 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -13073,9 +13074,8 @@ index f962f76..7c3c35b 100644
+## <summary>
+## Domain not to audit.
+## </summary>
- ## </param>
- #
--interface(`files_delete_tmp_dir_entry',`
++## </param>
++#
+interface(`files_rw_generic_tmp_dir',`
+ gen_require(`
+ type tmp_t;
@@ -13093,10 +13093,10 @@ index f962f76..7c3c35b 100644
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
-+interface(`files_delete_tmp_dir_entry',`
- gen_require(`
+ ## </param>
+ #
+ interface(`files_delete_tmp_dir_entry',`
+@@ -4361,6 +5420,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -13104,7 +13104,7 @@ index f962f76..7c3c35b 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4402,6 +5461,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4402,6 +5462,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -13137,7 +13137,7 @@ index f962f76..7c3c35b 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4456,6 +5541,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4456,6 +5542,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -13180,7 +13180,7 @@ index f962f76..7c3c35b 100644
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
-@@ -4474,6 +5595,60 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4474,6 +5596,60 @@ interface(`files_setattr_all_tmp_dirs',`
########################################
## <summary>
@@ -13241,7 +13241,7 @@ index f962f76..7c3c35b 100644
## List all tmp directories.
## </summary>
## <param name="domain">
-@@ -4519,7 +5694,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4519,7 +5695,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -13250,7 +13250,7 @@ index f962f76..7c3c35b 100644
## </summary>
## </param>
#
-@@ -4579,7 +5754,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4579,7 +5755,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -13259,7 +13259,7 @@ index f962f76..7c3c35b 100644
## </summary>
## </param>
#
-@@ -4611,6 +5786,44 @@ interface(`files_read_all_tmp_files',`
+@@ -4611,6 +5787,44 @@ interface(`files_read_all_tmp_files',`
########################################
## <summary>
@@ -13304,7 +13304,7 @@ index f962f76..7c3c35b 100644
## Create an object in the tmp directories, with a private
## type using a type transition.
## </summary>
-@@ -4664,6 +5877,16 @@ interface(`files_purge_tmp',`
+@@ -4664,6 +5878,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -13321,7 +13321,7 @@ index f962f76..7c3c35b 100644
')
########################################
-@@ -5112,6 +6335,24 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5112,6 +6336,24 @@ interface(`files_create_kernel_symbol_table',`
########################################
## <summary>
@@ -13346,7 +13346,7 @@ index f962f76..7c3c35b 100644
## Read system.map in the /boot directory.
## </summary>
## <param name="domain">
-@@ -5241,6 +6482,24 @@ interface(`files_list_var',`
+@@ -5241,6 +6483,24 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -13371,7 +13371,7 @@ index f962f76..7c3c35b 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5328,7 +6587,7 @@ interface(`files_dontaudit_rw_var_files',`
+@@ -5328,7 +6588,7 @@ interface(`files_dontaudit_rw_var_files',`
type var_t;
')
@@ -13380,7 +13380,7 @@ index f962f76..7c3c35b 100644
')
########################################
-@@ -5527,6 +6786,25 @@ interface(`files_rw_var_lib_dirs',`
+@@ -5527,6 +6787,25 @@ interface(`files_rw_var_lib_dirs',`
########################################
## <summary>
@@ -13406,7 +13406,7 @@ index f962f76..7c3c35b 100644
## Create objects in the /var/lib directory
## </summary>
## <param name="domain">
-@@ -5596,6 +6874,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5596,6 +6875,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -13432,7 +13432,7 @@ index f962f76..7c3c35b 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5641,7 +6938,7 @@ interface(`files_manage_mounttab',`
+@@ -5641,7 +6939,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -13441,7 +13441,7 @@ index f962f76..7c3c35b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5649,12 +6946,13 @@ interface(`files_manage_mounttab',`
+@@ -5649,12 +6947,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@@ -13457,7 +13457,7 @@ index f962f76..7c3c35b 100644
')
########################################
-@@ -5672,6 +6970,7 @@ interface(`files_search_locks',`
+@@ -5672,6 +6971,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -13465,7 +13465,7 @@ index f962f76..7c3c35b 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5698,7 +6997,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5698,7 +6998,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@@ -13493,7 +13493,7 @@ index f962f76..7c3c35b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5706,13 +7024,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,13 +7025,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -13510,7 +13510,7 @@ index f962f76..7c3c35b 100644
')
########################################
-@@ -5731,7 +7048,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5731,7 +7049,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -13519,7 +13519,7 @@ index f962f76..7c3c35b 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5764,7 +7081,6 @@ interface(`files_create_lock_dirs',`
+@@ -5764,7 +7082,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -13527,7 +13527,7 @@ index f962f76..7c3c35b 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5779,7 +7095,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5779,7 +7096,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
## <summary>
@@ -13536,7 +13536,7 @@ index f962f76..7c3c35b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5787,13 +7103,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,13 +7104,33 @@ interface(`files_relabel_all_lock_dirs',`
## </summary>
## </param>
#
@@ -13571,7 +13571,7 @@ index f962f76..7c3c35b 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5809,13 +7145,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5809,13 +7146,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -13589,7 +13589,7 @@ index f962f76..7c3c35b 100644
')
########################################
-@@ -5834,9 +7169,7 @@ interface(`files_manage_generic_locks',`
+@@ -5834,9 +7170,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -13600,7 +13600,7 @@ index f962f76..7c3c35b 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5878,8 +7211,7 @@ interface(`files_read_all_locks',`
+@@ -5878,8 +7212,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -13610,7 +13610,7 @@ index f962f76..7c3c35b 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5901,8 +7233,7 @@ interface(`files_manage_all_locks',`
+@@ -5901,8 +7234,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -13620,7 +13620,7 @@ index f962f76..7c3c35b 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5939,8 +7270,7 @@ interface(`files_lock_filetrans',`
+@@ -5939,8 +7271,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -13630,7 +13630,7 @@ index f962f76..7c3c35b 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5979,7 +7309,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5979,7 +7310,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -13639,7 +13639,7 @@ index f962f76..7c3c35b 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5999,10 +7329,48 @@ interface(`files_search_pids',`
+@@ -5999,10 +7330,48 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -13688,7 +13688,7 @@ index f962f76..7c3c35b 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -6025,6 +7393,43 @@ interface(`files_dontaudit_search_pids',`
+@@ -6025,6 +7394,43 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -13732,7 +13732,7 @@ index f962f76..7c3c35b 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -6039,7 +7444,7 @@ interface(`files_list_pids',`
+@@ -6039,7 +7445,7 @@ interface(`files_list_pids',`
type var_t, var_run_t;
')
@@ -13741,7 +13741,7 @@ index f962f76..7c3c35b 100644
list_dirs_pattern($1, var_t, var_run_t)
')
-@@ -6058,7 +7463,7 @@ interface(`files_read_generic_pids',`
+@@ -6058,7 +7464,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
@@ -13750,7 +13750,7 @@ index f962f76..7c3c35b 100644
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6078,7 +7483,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6078,7 +7484,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -13759,7 +13759,7 @@ index f962f76..7c3c35b 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6140,7 +7545,6 @@ interface(`files_pid_filetrans',`
+@@ -6140,7 +7546,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -13767,7 +13767,7 @@ index f962f76..7c3c35b 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6169,6 +7573,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6169,6 +7574,24 @@ interface(`files_pid_filetrans_lock_dir',`
########################################
## <summary>
@@ -13792,7 +13792,7 @@ index f962f76..7c3c35b 100644
## Read and write generic process ID files.
## </summary>
## <param name="domain">
-@@ -6182,7 +7604,7 @@ interface(`files_rw_generic_pids',`
+@@ -6182,7 +7605,7 @@ interface(`files_rw_generic_pids',`
type var_t, var_run_t;
')
@@ -13801,7 +13801,7 @@ index f962f76..7c3c35b 100644
list_dirs_pattern($1, var_t, var_run_t)
rw_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6249,55 +7671,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6249,55 +7672,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -13864,7 +13864,7 @@ index f962f76..7c3c35b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6305,42 +7715,35 @@ interface(`files_delete_all_pids',`
+@@ -6305,42 +7716,35 @@ interface(`files_delete_all_pids',`
## </summary>
## </param>
#
@@ -13914,7 +13914,7 @@ index f962f76..7c3c35b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6348,18 +7751,18 @@ interface(`files_manage_all_pids',`
+@@ -6348,18 +7752,18 @@ interface(`files_manage_all_pids',`
## </summary>
## </param>
#
@@ -13938,7 +13938,7 @@ index f962f76..7c3c35b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6367,37 +7770,40 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,37 +7771,40 @@ interface(`files_mounton_all_poly_members',`
## </summary>
## </param>
#
@@ -13990,7 +13990,7 @@ index f962f76..7c3c35b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6405,18 +7811,17 @@ interface(`files_dontaudit_search_spool',`
+@@ -6405,18 +7812,17 @@ interface(`files_dontaudit_search_spool',`
## </summary>
## </param>
#
@@ -14013,7 +14013,7 @@ index f962f76..7c3c35b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6424,18 +7829,18 @@ interface(`files_list_spool',`
+@@ -6424,18 +7830,18 @@ interface(`files_list_spool',`
## </summary>
## </param>
#
@@ -14037,7 +14037,7 @@ index f962f76..7c3c35b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6443,19 +7848,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6443,19 +7849,18 @@ interface(`files_manage_generic_spool_dirs',`
## </summary>
## </param>
#
@@ -14062,7 +14062,7 @@ index f962f76..7c3c35b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6463,109 +7867,62 @@ interface(`files_read_generic_spool',`
+@@ -6463,109 +7868,62 @@ interface(`files_read_generic_spool',`
## </summary>
## </param>
#
@@ -14193,7 +14193,7 @@ index f962f76..7c3c35b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6573,10 +7930,944 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +7931,944 @@ interface(`files_polyinstantiate_all',`
## </summary>
## </param>
#
@@ -39078,10 +39078,19 @@ index 1361961..be6b7fc 100644
#
# Base type for the tests directory.
diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
-index 9933677..0b9c20a 100644
+index 9933677..7875b79 100644
--- a/policy/modules/system/modutils.fc
+++ b/policy/modules/system/modutils.fc
-@@ -23,3 +23,17 @@ ifdef(`distro_gentoo',`
+@@ -10,8 +10,6 @@ ifdef(`distro_gentoo',`
+ /etc/modprobe.devfs.* -- gen_context(system_u:object_r:modules_conf_t,s0)
+ ')
+
+-/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
+-
+ /lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
+
+ /sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0)
+@@ -23,3 +21,15 @@ ifdef(`distro_gentoo',`
/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
/usr/bin/kmod -- gen_context(system_u:object_r:insmod_exec_t,s0)
@@ -39094,16 +39103,14 @@ index 9933677..0b9c20a 100644
+/usr/sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
+/usr/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
+
-+/usr/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
-+
+/usr/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
+
+/var/run/tmpfiles.d/kmod.conf -- gen_context(system_u:object_r:insmod_var_run_t,s0)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
-index 7449974..f32a37c 100644
+index 7449974..b792900 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
-@@ -12,7 +12,7 @@
+@@ -12,11 +12,28 @@
#
interface(`modutils_getattr_module_deps',`
gen_require(`
@@ -39112,7 +39119,34 @@ index 7449974..f32a37c 100644
')
getattr_files_pattern($1, modules_object_t, modules_dep_t)
-@@ -39,6 +39,44 @@ interface(`modutils_read_module_deps',`
+ ')
++########################################
++## <summary>
++## Read the dependencies of kernel modules.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`modutils_read_module_deps_files',`
++ gen_require(`
++ type modules_dep_t;
++ ')
++
++ allow $1 modules_dep_t:file read_file_perms;
++')
+
+ ########################################
+ ## <summary>
+@@ -34,11 +51,50 @@ interface(`modutils_read_module_deps',`
+ ')
+
+ files_list_kernel_modules($1)
++ files_read_kernel_modules($1)
+ allow $1 modules_dep_t:file read_file_perms;
+ ')
########################################
## <summary>
@@ -39157,7 +39191,7 @@ index 7449974..f32a37c 100644
## Read the configuration options used when
## loading modules.
## </summary>
-@@ -163,6 +201,24 @@ interface(`modutils_domtrans_insmod',`
+@@ -163,6 +219,24 @@ interface(`modutils_domtrans_insmod',`
########################################
## <summary>
@@ -39182,7 +39216,7 @@ index 7449974..f32a37c 100644
## Execute insmod in the insmod domain, and
## allow the specified role the insmod domain,
## and use the caller's terminal. Has a sigchld
-@@ -208,6 +264,24 @@ interface(`modutils_exec_insmod',`
+@@ -208,6 +282,24 @@ interface(`modutils_exec_insmod',`
can_exec($1, insmod_exec_t)
')
@@ -39207,7 +39241,7 @@ index 7449974..f32a37c 100644
########################################
## <summary>
## Execute depmod in the depmod domain.
-@@ -308,11 +382,18 @@ interface(`modutils_domtrans_update_mods',`
+@@ -308,11 +400,18 @@ interface(`modutils_domtrans_update_mods',`
#
interface(`modutils_run_update_mods',`
gen_require(`
@@ -39228,7 +39262,7 @@ index 7449974..f32a37c 100644
')
########################################
-@@ -333,3 +414,43 @@ interface(`modutils_exec_update_mods',`
+@@ -333,3 +432,39 @@ interface(`modutils_exec_update_mods',`
corecmd_search_bin($1)
can_exec($1, update_modules_exec_t)
')
@@ -39252,25 +39286,21 @@ index 7449974..f32a37c 100644
+ files_etc_filetrans($1, modules_conf_t, file, "modprobe.conf")
+ files_etc_filetrans($1, modules_conf_t, file, "modules.conf")
+
-+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.alias")
-+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.alias.bin")
-+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.block")
-+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.builtin")
-+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.builtin.bin")
-+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep")
-+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
-+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.devname")
-+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.drm")
-+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.modesetting")
-+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.networking")
-+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.order")
-+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.softdep")
-+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols")
-+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin")
-+')
-+
-+
-+
++ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.alias")
++ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.alias.bin")
++ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.block")
++ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.builtin")
++ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.builtin.bin")
++ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep")
++ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
++ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.devname")
++ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.drm")
++ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.modesetting")
++ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.networking")
++ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.order")
++ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.softdep")
++ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols")
++ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin")
+')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 7a363b8..3f02a36 100644
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 669d7e2..62f370b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 150%{?dist}
+Release: 151%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -656,6 +656,12 @@ exit 0
%endif
%changelog
+* Fri Oct 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-151
+- Update modules_filetrans_named_content() to make sure we don't get modules_dep labeling by filename transitions.
+- Remove /usr/lib/modules/[^/]+/modules\..+ labeling
+- Add modutils_read_module_deps_files() which is called from files_read_kernel_modules() for module deps which are still labeled as modules_dep_t.
+- Remove modules_dep_t labeling for kernel module deps. depmod is a symlink to kmod which is labeled as insmod_exec_t which handles modules_object_t and there is no transition to modules_dep_t. Also some of these module deps are placed by cpio during install/update of kernel package.
+
* Fri Oct 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-150
- Allow acpid to attempt to connect to the Linux kernel via generic netlink socket.
- Clean up pkcs11proxyd policy.