diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 5ebe2d9..5f3e71b 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5400,7 +5400,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..fd1a0d0 100644
+index b191055..51daa72 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5609,7 +5609,7 @@ index b191055..fd1a0d0 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,26 +225,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,26 +225,35 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5628,6 +5628,7 @@ index b191055..fd1a0d0 100644
network_port(oa_system, tcp,8022,s0, udp,8022,s0)
-network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
network_port(ocsp, tcp,9080,s0)
++network_port(openflow, tcp,6633,s0, tcp,6653,s0)
network_port(openhpid, tcp,4743,s0, udp,4743,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
+network_port(osapi_compute, tcp, 8774, s0)
@@ -5648,7 +5649,7 @@ index b191055..fd1a0d0 100644
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
-@@ -215,39 +262,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -215,39 +263,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@@ -5701,7 +5702,7 @@ index b191055..fd1a0d0 100644
network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -259,8 +312,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -259,8 +313,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -5712,7 +5713,7 @@ index b191055..fd1a0d0 100644
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0)
-@@ -271,10 +325,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -271,10 +326,10 @@ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -5725,7 +5726,7 @@ index b191055..fd1a0d0 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -288,19 +342,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +343,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@@ -5752,7 +5753,7 @@ index b191055..fd1a0d0 100644
########################################
#
-@@ -333,6 +391,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +392,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5761,7 +5762,7 @@ index b191055..fd1a0d0 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -345,9 +405,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +406,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -9407,7 +9408,7 @@ index b876c48..27f60c6 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..35cd90c 100644
+index f962f76..5c44da2 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -10081,7 +10082,31 @@ index f962f76..35cd90c 100644
## List the contents of the root directory.
##
##
-@@ -1765,6 +2171,26 @@ interface(`files_dontaudit_rw_root_dir',`
+@@ -1725,6 +2131,23 @@ interface(`files_list_root',`
+ allow $1 root_t:dir list_dir_perms;
+ allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
+ ')
++########################################
++##
++## Do not audit attempts to write to / dirs.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_write_root_dirs',`
++ gen_require(`
++ type root_t;
++ ')
++
++ allow $1 root_t:dir write;
++')
+
+ ########################################
+ ##
+@@ -1765,6 +2188,26 @@ interface(`files_dontaudit_rw_root_dir',`
########################################
##
@@ -10108,7 +10133,7 @@ index f962f76..35cd90c 100644
## Create an object in the root directory, with a private
## type using a type transition.
##
-@@ -1892,25 +2318,25 @@ interface(`files_delete_root_dir_entry',`
+@@ -1892,25 +2335,25 @@ interface(`files_delete_root_dir_entry',`
########################################
##
@@ -10140,7 +10165,7 @@ index f962f76..35cd90c 100644
##
##
##
-@@ -1923,7 +2349,7 @@ interface(`files_relabel_rootfs',`
+@@ -1923,7 +2366,7 @@ interface(`files_relabel_rootfs',`
type root_t;
')
@@ -10149,7 +10174,7 @@ index f962f76..35cd90c 100644
')
########################################
-@@ -1946,6 +2372,24 @@ interface(`files_unmount_rootfs',`
+@@ -1946,6 +2389,24 @@ interface(`files_unmount_rootfs',`
########################################
##
@@ -10174,7 +10199,7 @@ index f962f76..35cd90c 100644
## Get attributes of the /boot directory.
##
##
-@@ -2181,6 +2625,24 @@ interface(`files_relabelfrom_boot_files',`
+@@ -2181,6 +2642,24 @@ interface(`files_relabelfrom_boot_files',`
relabelfrom_files_pattern($1, boot_t, boot_t)
')
@@ -10199,7 +10224,7 @@ index f962f76..35cd90c 100644
######################################
##
## Read symbolic links in the /boot directory.
-@@ -2645,6 +3107,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2645,6 +3124,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -10224,7 +10249,7 @@ index f962f76..35cd90c 100644
##########################################
##
## Manage generic directories in /etc
-@@ -2716,6 +3196,7 @@ interface(`files_read_etc_files',`
+@@ -2716,6 +3213,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -10232,7 +10257,7 @@ index f962f76..35cd90c 100644
')
########################################
-@@ -2724,7 +3205,7 @@ interface(`files_read_etc_files',`
+@@ -2724,7 +3222,7 @@ interface(`files_read_etc_files',`
##
##
##
@@ -10241,7 +10266,7 @@ index f962f76..35cd90c 100644
##
##
#
-@@ -2780,6 +3261,25 @@ interface(`files_manage_etc_files',`
+@@ -2780,6 +3278,25 @@ interface(`files_manage_etc_files',`
########################################
##
@@ -10267,7 +10292,7 @@ index f962f76..35cd90c 100644
## Delete system configuration files in /etc.
##
##
-@@ -2798,6 +3298,24 @@ interface(`files_delete_etc_files',`
+@@ -2798,6 +3315,24 @@ interface(`files_delete_etc_files',`
########################################
##
@@ -10292,7 +10317,7 @@ index f962f76..35cd90c 100644
## Execute generic files in /etc.
##
##
-@@ -2963,24 +3481,6 @@ interface(`files_delete_boot_flag',`
+@@ -2963,24 +3498,6 @@ interface(`files_delete_boot_flag',`
########################################
##
@@ -10317,7 +10342,7 @@ index f962f76..35cd90c 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
##
-@@ -3021,9 +3521,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3021,9 +3538,7 @@ interface(`files_read_etc_runtime_files',`
########################################
##
@@ -10328,7 +10353,7 @@ index f962f76..35cd90c 100644
##
##
##
-@@ -3031,18 +3529,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3031,18 +3546,17 @@ interface(`files_read_etc_runtime_files',`
##
##
#
@@ -10350,7 +10375,7 @@ index f962f76..35cd90c 100644
##
##
##
-@@ -3060,6 +3557,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3060,6 +3574,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
##
@@ -10377,7 +10402,7 @@ index f962f76..35cd90c 100644
## Read and write files in /etc that are dynamically
## created on boot, such as mtab.
##
-@@ -3077,6 +3594,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3077,6 +3611,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -10385,7 +10410,7 @@ index f962f76..35cd90c 100644
')
########################################
-@@ -3098,6 +3616,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3098,6 +3633,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -10393,58 +10418,11 @@ index f962f76..35cd90c 100644
')
########################################
-@@ -3150,45 +3669,64 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3150,6 +3686,25 @@ interface(`files_getattr_isid_type_dirs',`
########################################
##
--## Do not audit attempts to search directories on new filesystems
+## Setattr of directories on new filesystems
- ## that have not yet been labeled.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_search_isid_type_dirs',`
-+interface(`files_setattr_isid_type_dirs',`
- gen_require(`
- type file_t;
- ')
-
-- dontaudit $1 file_t:dir search_dir_perms;
-+ allow $1 file_t:dir setattr;
- ')
-
- ########################################
- ##
--## List the contents of directories on new filesystems
-+## Do not audit attempts to search directories on new filesystems
- ## that have not yet been labeled.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_list_isid_type_dirs',`
-+interface(`files_dontaudit_search_isid_type_dirs',`
- gen_require(`
- type file_t;
- ')
-
-- allow $1 file_t:dir list_dir_perms;
-+ dontaudit $1 file_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Read and write directories on new filesystems
-+## List the contents of directories on new filesystems
+## that have not yet been labeled.
+##
+##
@@ -10453,21 +10431,20 @@ index f962f76..35cd90c 100644
+##
+##
+#
-+interface(`files_list_isid_type_dirs',`
++interface(`files_setattr_isid_type_dirs',`
+ gen_require(`
+ type file_t;
+ ')
+
-+ allow $1 file_t:dir list_dir_perms;
++ allow $1 file_t:dir setattr;
+')
+
+########################################
+##
-+## Read and write directories on new filesystems
+ ## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
##
- ##
-@@ -3223,6 +3761,62 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3223,6 +3778,62 @@ interface(`files_delete_isid_type_dirs',`
delete_dirs_pattern($1, file_t, file_t)
')
@@ -10530,7 +10507,7 @@ index f962f76..35cd90c 100644
########################################
##
-@@ -3473,6 +4067,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3473,6 +4084,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
##
@@ -10556,7 +10533,7 @@ index f962f76..35cd90c 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
##
-@@ -3814,20 +4427,38 @@ interface(`files_list_mnt',`
+@@ -3814,20 +4444,38 @@ interface(`files_list_mnt',`
######################################
##
@@ -10600,7 +10577,7 @@ index f962f76..35cd90c 100644
')
########################################
-@@ -4217,6 +4848,172 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,6 +4865,172 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -10773,7 +10750,7 @@ index f962f76..35cd90c 100644
########################################
##
## Allow the specified type to associate
-@@ -4239,6 +5036,26 @@ interface(`files_associate_tmp',`
+@@ -4239,6 +5053,26 @@ interface(`files_associate_tmp',`
########################################
##
@@ -10800,7 +10777,7 @@ index f962f76..35cd90c 100644
## Get the attributes of the tmp directory (/tmp).
##
##
-@@ -4252,17 +5069,37 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4252,17 +5086,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -10839,7 +10816,7 @@ index f962f76..35cd90c 100644
##
##
#
-@@ -4289,6 +5126,7 @@ interface(`files_search_tmp',`
+@@ -4289,6 +5143,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -10847,7 +10824,7 @@ index f962f76..35cd90c 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4325,6 +5163,7 @@ interface(`files_list_tmp',`
+@@ -4325,6 +5180,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -10855,7 +10832,7 @@ index f962f76..35cd90c 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4334,7 +5173,7 @@ interface(`files_list_tmp',`
+@@ -4334,7 +5190,7 @@ interface(`files_list_tmp',`
##
##
##
@@ -10864,7 +10841,7 @@ index f962f76..35cd90c 100644
##
##
#
-@@ -4346,6 +5185,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4346,6 +5202,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -10890,7 +10867,7 @@ index f962f76..35cd90c 100644
########################################
##
## Remove entries from the tmp directory.
-@@ -4361,6 +5219,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4361,6 +5236,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -10898,7 +10875,7 @@ index f962f76..35cd90c 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4402,6 +5261,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4402,6 +5278,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
##
@@ -10931,7 +10908,7 @@ index f962f76..35cd90c 100644
## Manage temporary files and directories in /tmp.
##
##
-@@ -4456,7 +5341,7 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4456,7 +5358,7 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
##
@@ -10940,7 +10917,7 @@ index f962f76..35cd90c 100644
##
##
##
-@@ -4464,17 +5349,17 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4464,17 +5366,17 @@ interface(`files_rw_generic_tmp_sockets',`
##
##
#
@@ -10962,7 +10939,7 @@ index f962f76..35cd90c 100644
##
##
##
-@@ -4482,34 +5367,124 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4482,44 +5384,134 @@ interface(`files_setattr_all_tmp_dirs',`
##
##
#
@@ -11000,14 +10977,17 @@ index f962f76..35cd90c 100644
- allow $1 var_t:dir search_dir_perms;
- relabel_dirs_pattern($1, tmpfile, tmpfile)
+ allow $1 tmpfile:dir { search_dir_perms setattr };
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to get the attributes
+-## of all tmp files.
+## Allow caller to read inherited tmp files.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain not to audit.
+## Domain allowed access.
+##
+##
@@ -11094,19 +11074,20 @@ index f962f76..35cd90c 100644
+
+ allow $1 var_t:dir search_dir_perms;
+ relabel_dirs_pattern($1, tmpfile, tmpfile)
- ')
-
- ########################################
-@@ -4519,7 +5494,7 @@ interface(`files_relabel_all_tmp_dirs',`
- ##
- ##
- ##
--## Domain not to audit.
++')
++
++########################################
++##
++## Do not audit attempts to get the attributes
++## of all tmp files.
++##
++##
++##
+## Domain to not audit.
##
##
#
-@@ -4579,7 +5554,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4579,7 +5571,7 @@ interface(`files_relabel_all_tmp_files',`
##
##
##
@@ -11115,7 +11096,7 @@ index f962f76..35cd90c 100644
##
##
#
-@@ -4611,6 +5586,44 @@ interface(`files_read_all_tmp_files',`
+@@ -4611,6 +5603,44 @@ interface(`files_read_all_tmp_files',`
########################################
##
@@ -11160,7 +11141,7 @@ index f962f76..35cd90c 100644
## Create an object in the tmp directories, with a private
## type using a type transition.
##
-@@ -4664,6 +5677,16 @@ interface(`files_purge_tmp',`
+@@ -4664,6 +5694,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -11177,7 +11158,7 @@ index f962f76..35cd90c 100644
')
########################################
-@@ -5241,6 +6264,24 @@ interface(`files_list_var',`
+@@ -5241,6 +6281,24 @@ interface(`files_list_var',`
########################################
##
@@ -11202,7 +11183,7 @@ index f962f76..35cd90c 100644
## Create, read, write, and delete directories
## in the /var directory.
##
-@@ -5527,6 +6568,25 @@ interface(`files_rw_var_lib_dirs',`
+@@ -5527,6 +6585,25 @@ interface(`files_rw_var_lib_dirs',`
########################################
##
@@ -11228,7 +11209,7 @@ index f962f76..35cd90c 100644
## Create objects in the /var/lib directory
##
##
-@@ -5596,6 +6656,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5596,6 +6673,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -11254,7 +11235,7 @@ index f962f76..35cd90c 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5641,7 +6720,7 @@ interface(`files_manage_mounttab',`
+@@ -5641,7 +6737,7 @@ interface(`files_manage_mounttab',`
########################################
##
@@ -11263,7 +11244,7 @@ index f962f76..35cd90c 100644
##
##
##
-@@ -5649,12 +6728,13 @@ interface(`files_manage_mounttab',`
+@@ -5649,12 +6745,13 @@ interface(`files_manage_mounttab',`
##
##
#
@@ -11279,7 +11260,7 @@ index f962f76..35cd90c 100644
')
########################################
-@@ -5672,6 +6752,7 @@ interface(`files_search_locks',`
+@@ -5672,6 +6769,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -11287,7 +11268,7 @@ index f962f76..35cd90c 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5698,7 +6779,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5698,7 +6796,26 @@ interface(`files_dontaudit_search_locks',`
########################################
##
@@ -11315,7 +11296,7 @@ index f962f76..35cd90c 100644
##
##
##
-@@ -5706,13 +6806,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,13 +6823,12 @@ interface(`files_dontaudit_search_locks',`
##
##
#
@@ -11332,7 +11313,7 @@ index f962f76..35cd90c 100644
')
########################################
-@@ -5731,7 +6830,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5731,7 +6847,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -11341,7 +11322,7 @@ index f962f76..35cd90c 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5764,7 +6863,6 @@ interface(`files_create_lock_dirs',`
+@@ -5764,7 +6880,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
##
##
@@ -11349,7 +11330,7 @@ index f962f76..35cd90c 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5779,7 +6877,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5779,7 +6894,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
##
@@ -11358,7 +11339,7 @@ index f962f76..35cd90c 100644
##
##
##
-@@ -5787,13 +6885,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,13 +6902,33 @@ interface(`files_relabel_all_lock_dirs',`
##
##
#
@@ -11393,7 +11374,7 @@ index f962f76..35cd90c 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5809,13 +6927,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5809,13 +6944,12 @@ interface(`files_getattr_generic_locks',`
##
#
interface(`files_delete_generic_locks',`
@@ -11411,7 +11392,7 @@ index f962f76..35cd90c 100644
')
########################################
-@@ -5834,9 +6951,7 @@ interface(`files_manage_generic_locks',`
+@@ -5834,9 +6968,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -11422,7 +11403,7 @@ index f962f76..35cd90c 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5878,8 +6993,7 @@ interface(`files_read_all_locks',`
+@@ -5878,8 +7010,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -11432,7 +11413,7 @@ index f962f76..35cd90c 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5901,8 +7015,7 @@ interface(`files_manage_all_locks',`
+@@ -5901,8 +7032,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -11442,7 +11423,7 @@ index f962f76..35cd90c 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5939,8 +7052,7 @@ interface(`files_lock_filetrans',`
+@@ -5939,8 +7069,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -11452,7 +11433,7 @@ index f962f76..35cd90c 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5979,7 +7091,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5979,7 +7108,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -11461,7 +11442,7 @@ index f962f76..35cd90c 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5999,10 +7111,48 @@ interface(`files_search_pids',`
+@@ -5999,10 +7128,48 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -11510,7 +11491,7 @@ index f962f76..35cd90c 100644
########################################
##
## Do not audit attempts to search
-@@ -6025,28 +7175,47 @@ interface(`files_dontaudit_search_pids',`
+@@ -6025,27 +7192,46 @@ interface(`files_dontaudit_search_pids',`
########################################
##
@@ -11541,7 +11522,6 @@ index f962f76..35cd90c 100644
########################################
##
-## Read generic process ID files.
--##
+## List the contents of the runtime process
+## ID directories (/var/run).
+##
@@ -11563,11 +11543,10 @@ index f962f76..35cd90c 100644
+########################################
+##
+## Read generic process ID files.
-+##
+ ##
##
##
- ## Domain allowed access.
-@@ -6058,7 +7227,7 @@ interface(`files_read_generic_pids',`
+@@ -6058,7 +7244,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
@@ -11576,7 +11555,7 @@ index f962f76..35cd90c 100644
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6078,7 +7247,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6078,7 +7264,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -11585,7 +11564,7 @@ index f962f76..35cd90c 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6140,7 +7309,6 @@ interface(`files_pid_filetrans',`
+@@ -6140,7 +7326,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -11593,7 +11572,7 @@ index f962f76..35cd90c 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6169,6 +7337,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6169,6 +7354,24 @@ interface(`files_pid_filetrans_lock_dir',`
########################################
##
@@ -11618,7 +11597,7 @@ index f962f76..35cd90c 100644
## Read and write generic process ID files.
##
##
-@@ -6182,7 +7368,7 @@ interface(`files_rw_generic_pids',`
+@@ -6182,7 +7385,7 @@ interface(`files_rw_generic_pids',`
type var_t, var_run_t;
')
@@ -11627,7 +11606,7 @@ index f962f76..35cd90c 100644
list_dirs_pattern($1, var_t, var_run_t)
rw_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6249,55 +7435,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6249,55 +7452,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
@@ -11690,7 +11669,7 @@ index f962f76..35cd90c 100644
##
##
##
-@@ -6305,42 +7479,35 @@ interface(`files_delete_all_pids',`
+@@ -6305,42 +7496,35 @@ interface(`files_delete_all_pids',`
##
##
#
@@ -11740,7 +11719,7 @@ index f962f76..35cd90c 100644
##
##
##
-@@ -6348,18 +7515,18 @@ interface(`files_manage_all_pids',`
+@@ -6348,18 +7532,18 @@ interface(`files_manage_all_pids',`
##
##
#
@@ -11764,7 +11743,7 @@ index f962f76..35cd90c 100644
##
##
##
-@@ -6367,37 +7534,40 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,37 +7551,40 @@ interface(`files_mounton_all_poly_members',`
##
##
#
@@ -11816,7 +11795,7 @@ index f962f76..35cd90c 100644
##
##
##
-@@ -6405,18 +7575,17 @@ interface(`files_dontaudit_search_spool',`
+@@ -6405,18 +7592,17 @@ interface(`files_dontaudit_search_spool',`
##
##
#
@@ -11839,7 +11818,7 @@ index f962f76..35cd90c 100644
##
##
##
-@@ -6424,18 +7593,18 @@ interface(`files_list_spool',`
+@@ -6424,18 +7610,18 @@ interface(`files_list_spool',`
##
##
#
@@ -11863,7 +11842,7 @@ index f962f76..35cd90c 100644
##
##
##
-@@ -6443,19 +7612,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6443,19 +7629,18 @@ interface(`files_manage_generic_spool_dirs',`
##
##
#
@@ -11888,7 +11867,7 @@ index f962f76..35cd90c 100644
##
##
##
-@@ -6463,55 +7631,130 @@ interface(`files_read_generic_spool',`
+@@ -6463,55 +7648,130 @@ interface(`files_read_generic_spool',`
##
##
#
@@ -12038,7 +12017,7 @@ index f962f76..35cd90c 100644
##
##
##
-@@ -6519,64 +7762,767 @@ interface(`files_spool_filetrans',`
+@@ -6519,64 +7779,767 @@ interface(`files_spool_filetrans',`
##
##
#
@@ -21729,7 +21708,7 @@ index cc877c7..07f129b 100644
+ xserver_rw_xdm_pipes(ssh_agent_type)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 8274418..830bb6f 100644
+index 8274418..abeb351 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@@ -21851,7 +21830,7 @@ index 8274418..830bb6f 100644
+/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/mdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0)
-+/var/log/slim\.log -- gen_context(system_u:object_r:xdm_log_t,s0)
++/var/log/slim\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
@@ -29783,7 +29762,7 @@ index 17eda24..7acba2b 100644
+ ')
+ ')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..32fad12 100644
+index 662e79b..05d25b0 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -1,14 +1,23 @@
@@ -29825,7 +29804,8 @@ index 662e79b..32fad12 100644
/var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
+/var/lock/subsys/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
- /var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
+-/var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
++/var/log/pluto\.log.* -- gen_context(system_u:object_r:ipsec_log_t,s0)
/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
@@ -31424,7 +31404,7 @@ index 446fa99..050a2ac 100644
- nscd_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index b50c5fe..2faaaf2 100644
+index b50c5fe..e55a556 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -2,10 +2,13 @@
@@ -31468,7 +31448,7 @@ index b50c5fe..2faaaf2 100644
/var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
-@@ -38,13 +54,13 @@ ifdef(`distro_suse', `
+@@ -38,21 +54,22 @@ ifdef(`distro_suse', `
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
@@ -31483,8 +31463,10 @@ index b50c5fe..2faaaf2 100644
+/var/run/systemd/journal(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
ifndef(`distro_gentoo',`
- /var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-@@ -53,6 +69,7 @@ ifndef(`distro_gentoo',`
+-/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
++/var/log/audit\.log.* -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+ ')
+
ifdef(`distro_redhat',`
/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
@@ -32362,7 +32344,7 @@ index 59b04c1..7b0ef85 100644
+
+logging_stream_connect_syslog(syslog_client_type)
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 6b91740..b250b3e 100644
+index 6b91740..633e449 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -23,6 +23,8 @@ ifdef(`distro_gentoo',`
@@ -32474,12 +32456,13 @@ index 6b91740..b250b3e 100644
#
# /var
-@@ -98,5 +168,8 @@ ifdef(`distro_gentoo',`
+@@ -98,5 +168,9 @@ ifdef(`distro_gentoo',`
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
+/var/lock/dmraid(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
+/var/run/lvm(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0)
++/var/run/multipathd(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0)
/var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
+/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 8ef7fb7..cf9c3c2 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -12192,7 +12192,7 @@ index 4a5b3d1..cd146bd 100644
')
diff --git a/cloudform.fc b/cloudform.fc
new file mode 100644
-index 0000000..3a0de96
+index 0000000..51990d0
--- /dev/null
+++ b/cloudform.fc
@@ -0,0 +1,27 @@
@@ -12211,7 +12211,7 @@ index 0000000..3a0de96
+/usr/lib/systemd/system/cloud-init.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
+
+/var/lib/cloud(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0)
-+/var/log/cloud-init\.log -- gen_context(system_u:object_r:cloud_log_t,s0)
++/var/log/cloud-init\.log.* -- gen_context(system_u:object_r:cloud_log_t,s0)
+/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0)
+/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0)
+
@@ -17943,7 +17943,7 @@ index 3023be7..20e370b 100644
+ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
')
diff --git a/cups.te b/cups.te
-index c91813c..ac57f95 100644
+index c91813c..f03481e 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.16.2)
@@ -18177,7 +18177,7 @@ index c91813c..ac57f95 100644
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
-@@ -212,16 +243,17 @@ files_read_world_readable_files(cupsd_t)
+@@ -212,17 +243,19 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
@@ -18195,9 +18195,11 @@ index c91813c..ac57f95 100644
+fs_rw_anon_inodefs_files(cupsd_t)
+fs_rw_inherited_tmpfs_files(cupsd_t)
++mls_dbus_send_all_levels(cupsd_t)
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
-@@ -232,6 +264,8 @@ mls_socket_write_all_levels(cupsd_t)
+ mls_file_write_all_levels(cupsd_t)
+@@ -232,6 +265,8 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
@@ -18206,7 +18208,7 @@ index c91813c..ac57f95 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -244,21 +278,21 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -244,21 +279,21 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@@ -18233,7 +18235,7 @@ index c91813c..ac57f95 100644
userdom_dontaudit_search_user_home_content(cupsd_t)
optional_policy(`
-@@ -272,6 +306,8 @@ optional_policy(`
+@@ -272,6 +307,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -18242,7 +18244,7 @@ index c91813c..ac57f95 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -282,8 +318,10 @@ optional_policy(`
+@@ -282,8 +319,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -18253,7 +18255,7 @@ index c91813c..ac57f95 100644
')
')
-@@ -296,8 +334,8 @@ optional_policy(`
+@@ -296,8 +335,8 @@ optional_policy(`
')
optional_policy(`
@@ -18263,7 +18265,7 @@ index c91813c..ac57f95 100644
')
optional_policy(`
-@@ -306,7 +344,6 @@ optional_policy(`
+@@ -306,7 +345,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@@ -18271,7 +18273,7 @@ index c91813c..ac57f95 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
-@@ -334,7 +371,11 @@ optional_policy(`
+@@ -334,7 +372,11 @@ optional_policy(`
')
optional_policy(`
@@ -18284,7 +18286,7 @@ index c91813c..ac57f95 100644
')
########################################
-@@ -342,12 +383,11 @@ optional_policy(`
+@@ -342,12 +384,11 @@ optional_policy(`
# Configuration daemon local policy
#
@@ -18300,7 +18302,7 @@ index c91813c..ac57f95 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -372,18 +412,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -372,18 +413,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@@ -18321,7 +18323,7 @@ index c91813c..ac57f95 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -392,20 +430,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -392,20 +431,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -18342,7 +18344,7 @@ index c91813c..ac57f95 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -417,11 +447,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -417,11 +448,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -18354,7 +18356,7 @@ index c91813c..ac57f95 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -449,9 +474,12 @@ optional_policy(`
+@@ -449,9 +475,12 @@ optional_policy(`
')
optional_policy(`
@@ -18368,7 +18370,7 @@ index c91813c..ac57f95 100644
')
optional_policy(`
-@@ -487,10 +515,6 @@ optional_policy(`
+@@ -487,10 +516,6 @@ optional_policy(`
# Lpd local policy
#
@@ -18379,7 +18381,7 @@ index c91813c..ac57f95 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -508,15 +532,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -508,15 +533,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -18397,7 +18399,7 @@ index c91813c..ac57f95 100644
corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
-@@ -537,9 +561,6 @@ auth_use_nsswitch(cupsd_lpd_t)
+@@ -537,9 +562,6 @@ auth_use_nsswitch(cupsd_lpd_t)
logging_send_syslog_msg(cupsd_lpd_t)
@@ -18407,7 +18409,7 @@ index c91813c..ac57f95 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -550,7 +571,6 @@ optional_policy(`
+@@ -550,7 +572,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -18415,7 +18417,7 @@ index c91813c..ac57f95 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -566,148 +586,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -566,148 +587,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -18567,7 +18569,7 @@ index c91813c..ac57f95 100644
########################################
#
-@@ -735,7 +630,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -735,7 +631,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -18575,7 +18577,7 @@ index c91813c..ac57f95 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -745,13 +639,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -745,13 +640,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -18589,7 +18591,7 @@ index c91813c..ac57f95 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -759,8 +651,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -759,8 +652,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -18598,7 +18600,7 @@ index c91813c..ac57f95 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -773,3 +663,4 @@ optional_policy(`
+@@ -773,3 +664,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
@@ -27786,7 +27788,7 @@ index e39de43..4c8113b 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index ab09d61..d2cd4bf 100644
+index ab09d61..d36aa1e 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,52 +1,78 @@
@@ -28484,58 +28486,92 @@ index ab09d61..d2cd4bf 100644
##
-## Create, read, write, and delete
-## generic gconf home content.
-+## Manage a sock_file in the generic cache home files (.cache)
++## write to generic cache home files (.cache)
##
##
##
-@@ -475,82 +561,73 @@ interface(`gnome_read_generic_gconf_home_content',`
+@@ -475,22 +561,18 @@ interface(`gnome_read_generic_gconf_home_content',`
##
##
#
-interface(`gnome_manage_generic_gconf_home_content',`
-+interface(`gnome_manage_generic_cache_sockets',`
++interface(`gnome_manage_generic_cache_files',`
gen_require(`
- type gconf_home_t;
+ type cache_home_t;
')
++ manage_files_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
- allow $1 gconf_home_t:dir manage_dir_perms;
- allow $1 gconf_home_t:file manage_file_perms;
- allow $1 gconf_home_t:fifo_file manage_fifo_file_perms;
- allow $1 gconf_home_t:lnk_file manage_lnk_file_perms;
- allow $1 gconf_home_t:sock_file manage_sock_file_perms;
-+ manage_sock_files_pattern($1, cache_home_t, cache_home_t)
')
########################################
##
-## Search generic gconf home directories.
++## Manage a sock_file in the generic cache home files (.cache)
+ ##
+ ##
+ ##
+@@ -498,79 +580,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
+ ##
+ ##
+ #
+-interface(`gnome_search_generic_gconf_home',`
++interface(`gnome_manage_generic_cache_sockets',`
+ gen_require(`
+- type gconf_home_t;
++ type cache_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+- allow $1 gconf_home_t:dir search_dir_perms;
++ manage_sock_files_pattern($1, cache_home_t, cache_home_t)
+ ')
+
+ ########################################
+ ##
+-## Create objects in user home
+-## directories with the generic gconf
+-## home type.
+## Dontaudit read/write to generic cache home files (.cache)
##
##
##
-## Domain allowed access.
+-##
+-##
+-##
+-##
+-## Class of the object being created.
+-##
+-##
+-##
+-##
+-## The name of the object being created.
+## Domain to not audit.
##
##
#
--interface(`gnome_search_generic_gconf_home',`
+-interface(`gnome_home_filetrans_gconf_home',`
+interface(`gnome_dontaudit_rw_generic_cache_files',`
gen_require(`
- type gconf_home_t;
+ type cache_home_t;
')
-- userdom_search_user_home_dirs($1)
-- allow $1 gconf_home_t:dir search_dir_perms;
+- userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3)
+ dontaudit $1 cache_home_t:file rw_inherited_file_perms;
')
########################################
##
-## Create objects in user home
--## directories with the generic gconf
+-## directories with the generic gnome
-## home type.
+## read gnome homedir content (.config)
##
@@ -28555,14 +28591,14 @@ index ab09d61..d2cd4bf 100644
-##
-##
#
--interface(`gnome_home_filetrans_gconf_home',`
+-interface(`gnome_home_filetrans_gnome_home',`
+interface(`gnome_read_config',`
gen_require(`
-- type gconf_home_t;
+- type gnome_home_t;
+ attribute gnome_home_type;
')
-- userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3)
+- userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3)
+ list_dirs_pattern($1, gnome_home_type, gnome_home_type)
+ read_files_pattern($1, gnome_home_type, gnome_home_type)
+ read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
@@ -28571,23 +28607,22 @@ index ab09d61..d2cd4bf 100644
########################################
##
--## Create objects in user home
--## directories with the generic gnome
--## home type.
+-## Create objects in gnome gconf home
+-## directories with a private type.
+## Create objects in a Gnome gconf home directory
+## with an automatic type transition to
+## a specified private type.
##
##
##
- ## Domain allowed access.
- ##
+@@ -579,12 +641,12 @@ interface(`gnome_home_filetrans_gnome_home',`
##
-+##
-+##
+ ##
+ ##
+-## Private file type.
+## The type of the object to create.
-+##
-+##
+ ##
+ ##
##
##
-## Class of the object being created.
@@ -28595,18 +28630,19 @@ index ab09d61..d2cd4bf 100644
##
##
##
-@@ -559,52 +636,77 @@ interface(`gnome_home_filetrans_gconf_home',`
+@@ -593,18 +655,18 @@ interface(`gnome_home_filetrans_gnome_home',`
##
##
#
--interface(`gnome_home_filetrans_gnome_home',`
+-interface(`gnome_gconf_home_filetrans',`
+interface(`gnome_data_filetrans',`
gen_require(`
-- type gnome_home_t;
+- type gconf_home_t;
+ type data_home_t;
')
-- userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3)
+- userdom_search_user_home_dirs($1)
+- filetrans_pattern($1, gconf_home_t, $2, $3, $4)
+ filetrans_pattern($1, data_home_t, $2, $3, $4)
+ gnome_search_gconf($1)
')
@@ -28614,44 +28650,41 @@ index ab09d61..d2cd4bf 100644
-########################################
+#######################################
##
--## Create objects in gnome gconf home
--## directories with a private type.
+-## Read generic gnome keyring home files.
+## Read generic data home files.
##
##
##
- ## Domain allowed access.
+@@ -612,46 +674,80 @@ interface(`gnome_gconf_home_filetrans',`
##
##
--##
--##
--## Private file type.
--##
--##
--##
--##
--## Class of the object being created.
--##
-+#
+ #
+-interface(`gnome_read_keyring_home_files',`
+interface(`gnome_read_generic_data_home_files',`
-+ gen_require(`
+ gen_require(`
+- type gnome_home_t, gnome_keyring_home_t;
+ type data_home_t, gconf_home_t;
-+ ')
-+
+ ')
+
+- userdom_search_user_home_dirs($1)
+- read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t)
+ read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
+ read_lnk_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
-+')
-+
+ ')
+
+-########################################
+######################################
-+##
+ ##
+-## Send and receive messages from
+-## gnome keyring daemon over dbus.
+## Read generic data home dirs.
-+##
+ ##
+-##
+##
+##
+## Domain allowed access.
+##
- ##
--##
++##
+#
+interface(`gnome_read_generic_data_home_dirs',`
+ gen_require(`
@@ -28667,46 +28700,45 @@ index ab09d61..d2cd4bf 100644
+##
+##
##
--## The name of the object being created.
+-## The prefix of the user domain (e.g., user
+-## is the prefix for user_t).
+## Domain allowed access.
##
##
- #
--interface(`gnome_gconf_home_filetrans',`
++#
+interface(`gnome_manage_data',`
- gen_require(`
++ gen_require(`
+ type data_home_t;
- type gconf_home_t;
- ')
-
-- userdom_search_user_home_dirs($1)
-- filetrans_pattern($1, gconf_home_t, $2, $3, $4)
++ type gconf_home_t;
++ ')
++
+ allow $1 gconf_home_t:dir search_dir_perms;
+ manage_dirs_pattern($1, data_home_t, data_home_t)
+ manage_files_pattern($1, data_home_t, data_home_t)
+ manage_lnk_files_pattern($1, data_home_t, data_home_t)
- ')
-
- ########################################
- ##
--## Read generic gnome keyring home files.
++')
++
++########################################
++##
+## Read icc data home content.
- ##
++##
##
##
-@@ -612,93 +714,86 @@ interface(`gnome_gconf_home_filetrans',`
+ ## Domain allowed access.
##
##
#
--interface(`gnome_read_keyring_home_files',`
+-interface(`gnome_dbus_chat_gkeyringd',`
+interface(`gnome_read_home_icc_data_content',`
gen_require(`
-- type gnome_home_t, gnome_keyring_home_t;
+- type $1_gkeyringd_t;
+- class dbus send_msg;
+ type icc_data_home_t, gconf_home_t, data_home_t;
')
- userdom_search_user_home_dirs($1)
-- read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t)
+- allow $2 $1_gkeyringd_t:dbus send_msg;
+- allow $1_gkeyringd_t $2:dbus send_msg;
++ userdom_search_user_home_dirs($1)
+ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
+ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
+ read_files_pattern($1, icc_data_home_t, icc_data_home_t)
@@ -28715,46 +28747,43 @@ index ab09d61..d2cd4bf 100644
########################################
##
--## Send and receive messages from
+-## Send and receive messages from all
-## gnome keyring daemon over dbus.
+## Read inherited icc data home files.
##
--##
--##
--## The prefix of the user domain (e.g., user
--## is the prefix for user_t).
--##
--##
##
##
- ## Domain allowed access.
+@@ -659,46 +755,64 @@ interface(`gnome_dbus_chat_gkeyringd',`
##
##
#
--interface(`gnome_dbus_chat_gkeyringd',`
+-interface(`gnome_dbus_chat_all_gkeyringd',`
+interface(`gnome_read_inherited_home_icc_data_files',`
gen_require(`
-- type $1_gkeyringd_t;
+- attribute gkeyringd_domain;
- class dbus send_msg;
+ type icc_data_home_t;
')
-- allow $2 $1_gkeyringd_t:dbus send_msg;
-- allow $1_gkeyringd_t $2:dbus send_msg;
+- allow $1 gkeyringd_domain:dbus send_msg;
+- allow gkeyringd_domain $1:dbus send_msg;
+ allow $1 icc_data_home_t:file read_inherited_file_perms;
')
########################################
##
--## Send and receive messages from all
--## gnome keyring daemon over dbus.
+-## Connect to gnome keyring daemon
+-## with a unix stream socket.
+## Create gconf_home_t objects in the /root directory
##
- ##
+-##
++##
##
- ## Domain allowed access.
- ##
- ##
+-## The prefix of the user domain (e.g., user
+-## is the prefix for user_t).
++## Domain allowed access.
++##
++##
+##
+##
+## The class of the object to be created.
@@ -28763,35 +28792,22 @@ index ab09d61..d2cd4bf 100644
+##
+##
+## The name of the object being created.
-+##
-+##
- #
--interface(`gnome_dbus_chat_all_gkeyringd',`
+ ##
+ ##
++#
+interface(`gnome_admin_home_gconf_filetrans',`
- gen_require(`
-- attribute gkeyringd_domain;
-- class dbus send_msg;
++ gen_require(`
+ type gconf_home_t;
- ')
-
-- allow $1 gkeyringd_domain:dbus send_msg;
-- allow gkeyringd_domain $1:dbus send_msg;
++ ')
++
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
- ')
-
- ########################################
- ##
--## Connect to gnome keyring daemon
--## with a unix stream socket.
++')
++
++########################################
++##
+## Do not audit attempts to read
+## inherited gconf config files.
- ##
--##
--##
--## The prefix of the user domain (e.g., user
--## is the prefix for user_t).
--##
--##
++##
##
##
-## Domain allowed access.
@@ -28819,7 +28835,7 @@ index ab09d61..d2cd4bf 100644
##
##
##
-@@ -706,12 +801,912 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -706,12 +820,912 @@ interface(`gnome_stream_connect_gkeyringd',`
##
##
#
@@ -29738,7 +29754,7 @@ index ab09d61..d2cd4bf 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
')
diff --git a/gnome.te b/gnome.te
-index 63893eb..d6f68a8 100644
+index 63893eb..76cc0d8 100644
--- a/gnome.te
+++ b/gnome.te
@@ -5,14 +5,33 @@ policy_module(gnome, 2.3.0)
@@ -29777,7 +29793,7 @@ index 63893eb..d6f68a8 100644
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -31,105 +50,225 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
+@@ -31,105 +50,224 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
userdom_user_application_domain(gconfd_t, gconfd_exec_t)
role gconfd_roles types gconfd_t;
@@ -30037,8 +30053,7 @@ index 63893eb..d6f68a8 100644
optional_policy(`
- telepathy_mission_control_read_state(gkeyringd_domain)
+ gnome_read_home_config(gkeyringd_domain)
-+ gnome_read_generic_cache_files(gkeyringd_domain)
-+ gnome_write_generic_cache_files(gkeyringd_domain)
++ gnome_manage_generic_cache_files(gkeyringd_domain)
+ gnome_manage_cache_home_dir(gkeyringd_domain)
+ gnome_manage_generic_cache_sockets(gkeyringd_domain)
')
@@ -31554,10 +31569,10 @@ index b46130e..e2ae3b2 100644
+
+/var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvp_var_lib_t,s0)
diff --git a/hypervkvp.if b/hypervkvp.if
-index 6517fad..17c3627 100644
+index 6517fad..b7ca833 100644
--- a/hypervkvp.if
+++ b/hypervkvp.if
-@@ -1,32 +1,111 @@
+@@ -1,32 +1,134 @@
-## HyperV key value pair (KVP).
+
+## policy for hypervkvp
@@ -31599,12 +31614,33 @@ index 6517fad..17c3627 100644
+ allow $1 hypervkvp_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
++
++########################################
++##
++## Read hypervkvp lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`hypervkvp_read_lib_files',`
++ gen_require(`
++ type hypervkvp_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 hypervkvp_var_lib_t:dir list_dir_perms;
++ read_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
++')
########################################
##
-## All of the rules required to
-## administrate an hypervkvp environment.
-+## Read hypervkvp lib files.
++## Create, read, write, and delete
++## hypervkvp lib files.
##
##
##
@@ -31613,35 +31649,37 @@ index 6517fad..17c3627 100644
##
-##
+#
-+interface(`hypervkvp_read_lib_files',`
++interface(`hypervkvp_manage_lib_files',`
+ gen_require(`
+ type hypervkvp_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
-+ allow $1 hypervkvp_var_lib_t:dir list_dir_perms;
-+ read_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
++ manage_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+')
+
-+########################################
++#######################################
+##
-+## Create, read, write, and delete
-+## hypervkvp lib files.
++## Execute hypervkvp server in the hypervkvp domain.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed to transition.
++##
+##
+#
-+interface(`hypervkvp_manage_lib_files',`
-+ gen_require(`
-+ type hypervkvp_var_lib_t;
-+ ')
++interface(`hypervkvp_systemctl',`
++ gen_require(`
++ type hypervkvp_t;
++ type hypervkvp_unit_file_t;
++ ')
+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
-+')
++ systemd_exec_systemctl($1)
++ allow $1 hypervkvp_unit_file_t:file read_file_perms;
++ allow $1 hypervkvp_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, hypervkvp_t)
++ ')
+
+########################################
+##
@@ -31683,10 +31721,10 @@ index 6517fad..17c3627 100644
+ allow $1 hypervkvp_unit_file_t:service all_service_perms;
')
diff --git a/hypervkvp.te b/hypervkvp.te
-index 4eb7041..88bd0b2 100644
+index 4eb7041..3543847 100644
--- a/hypervkvp.te
+++ b/hypervkvp.te
-@@ -5,24 +5,59 @@ policy_module(hypervkvp, 1.0.0)
+@@ -5,24 +5,61 @@ policy_module(hypervkvp, 1.0.0)
# Declarations
#
@@ -31721,7 +31759,7 @@ index 4eb7041..88bd0b2 100644
#
-# Local policy
+# hyperv domain local policy
-+#
+ #
+
+allow hyperv_domain self:capability net_admin;
+allow hyperv_domain self:netlink_socket create_socket_perms;
@@ -31729,19 +31767,21 @@ index 4eb7041..88bd0b2 100644
+allow hyperv_domain self:fifo_file rw_fifo_file_perms;
+allow hyperv_domain self:unix_stream_socket create_stream_socket_perms;
+
++corecmd_exec_shell(hyperv_domain)
++
+dev_read_sysfs(hyperv_domain)
+
+########################################
#
+# hypervkvp local policy
- #
-
--allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
--allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
++#
++
+manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir)
-+
+
+-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
+-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
+logging_send_syslog_msg(hypervkvp_t)
-logging_send_syslog_msg(hypervkvpd_t)
@@ -38550,7 +38590,7 @@ index d314333..da30c5d 100644
+ ')
')
diff --git a/lsm.te b/lsm.te
-index 4ec0eea..7f3d3fe 100644
+index 4ec0eea..c7e1da8 100644
--- a/lsm.te
+++ b/lsm.te
@@ -12,6 +12,17 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
@@ -38571,7 +38611,7 @@ index 4ec0eea..7f3d3fe 100644
########################################
#
# Local policy
-@@ -26,4 +37,29 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+@@ -26,4 +37,34 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
@@ -38584,9 +38624,12 @@ index 4ec0eea..7f3d3fe 100644
+# Local lsmd plugin policy
+#
+
++allow lsmd_plugin_t self:udp_socket create_socket_perms;
++
+domtrans_pattern(lsmd_t, lsmd_plugin_exec_t, lsmd_plugin_t)
+
+allow lsmd_t lsmd_plugin_exec_t:file read_file_perms;
++stream_connect_pattern(lsmd_plugin_t, lsmd_var_run_t, lsmd_var_run_t, lsmd_t)
+
+manage_files_pattern(lsmd_plugin_t, lsmd_plugin_tmp_t, lsmd_plugin_tmp_t)
+manage_dirs_pattern(lsmd_plugin_t, lsmd_plugin_tmp_t, lsmd_plugin_tmp_t)
@@ -38598,6 +38641,8 @@ index 4ec0eea..7f3d3fe 100644
+
+corecmd_exec_bin(lsmd_plugin_t)
+
++init_stream_connect(lsmd_plugin_t)
++
+logging_send_syslog_msg(lsmd_plugin_t)
+
+sysnet_read_config(lsmd_plugin_t)
@@ -41848,16 +41893,16 @@ index 0000000..7415106
+/var/motion(/.*)? gen_context(system_u:object_r:motion_data_t,s0)
diff --git a/motion.if b/motion.if
new file mode 100644
-index 0000000..1b1b04c
+index 0000000..39f4a04
--- /dev/null
+++ b/motion.if
-@@ -0,0 +1,193 @@
+@@ -0,0 +1,197 @@
+
+## Detect motion using a video4linux device
+
+########################################
+##
-+## Execute TEMPLATE in the motion domain.
++## Execute motion in the motion domain.
+##
+##
+##
@@ -41988,7 +42033,7 @@ index 0000000..1b1b04c
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_password_run($1)
++ systemd_read_fifo_file_passwd_run($1)
+ allow $1 motion_unit_file_t:file read_file_perms;
+ allow $1 motion_unit_file_t:service manage_service_perms;
+
@@ -42028,12 +42073,16 @@ index 0000000..1b1b04c
+ gen_require(`
+ type motion_t;
+ type motion_log_t;
-+ type motion_unit_file_t;
++ type motion_unit_file_t;
+ ')
+
-+ allow $1 motion_t:process { ptrace signal_perms };
++ allow $1 motion_t:process { signal_perms };
+ ps_process_pattern($1, motion_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 motion_t:process ptrace;
++ ')
++
+ logging_search_logs($1)
+ admin_pattern($1, motion_log_t)
+
@@ -47138,7 +47187,7 @@ index 687af38..404ed6d 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 7584bbe..2d683f1 100644
+index 7584bbe..d053405 100644
--- a/mysql.te
+++ b/mysql.te
@@ -6,20 +6,15 @@ policy_module(mysql, 1.14.1)
@@ -47335,7 +47384,7 @@ index 7584bbe..2d683f1 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -187,21 +186,28 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -187,21 +186,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
corecmd_exec_shell(mysqld_safe_t)
@@ -47351,8 +47400,9 @@ index 7584bbe..2d683f1 100644
+files_dontaudit_access_check_root(mysqld_safe_t)
files_dontaudit_search_all_mountpoints(mysqld_safe_t)
+files_dontaudit_getattr_all_dirs(mysqld_safe_t)
-+files_dontaudit_write_root_dirs(mysqld_safe_t)
++files_write_root_dirs(mysqld_safe_t)
++
+logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
logging_send_syslog_msg(mysqld_safe_t)
@@ -47370,7 +47420,7 @@ index 7584bbe..2d683f1 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
-@@ -209,7 +215,7 @@ optional_policy(`
+@@ -209,7 +216,7 @@ optional_policy(`
########################################
#
@@ -47379,7 +47429,7 @@ index 7584bbe..2d683f1 100644
#
allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -218,11 +224,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -218,11 +225,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
@@ -47397,7 +47447,7 @@ index 7584bbe..2d683f1 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-@@ -230,31 +237,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -230,31 +238,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@@ -49055,7 +49105,7 @@ index 86dc29d..5b73942 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 55f2009..51ec888 100644
+index 55f2009..fae4607 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t;
@@ -49345,15 +49395,11 @@ index 55f2009..51ec888 100644
')
optional_policy(`
-@@ -257,11 +293,10 @@ optional_policy(`
+@@ -257,11 +293,14 @@ optional_policy(`
')
optional_policy(`
- libs_exec_ldconfig(NetworkManager_t)
--')
--
--optional_policy(`
-- modutils_domtrans_insmod(NetworkManager_t)
+ l2tpd_domtrans(NetworkManager_t)
+ l2tpd_sigkill(NetworkManager_t)
+ l2tpd_signal(NetworkManager_t)
@@ -49361,7 +49407,12 @@ index 55f2009..51ec888 100644
')
optional_policy(`
-@@ -274,10 +309,17 @@ optional_policy(`
+- modutils_domtrans_insmod(NetworkManager_t)
++ lldpad_dgram_send(NetworkManager_t)
+ ')
+
+ optional_policy(`
+@@ -274,10 +313,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -49379,7 +49430,7 @@ index 55f2009..51ec888 100644
')
optional_policy(`
-@@ -289,6 +331,7 @@ optional_policy(`
+@@ -289,6 +335,7 @@ optional_policy(`
')
optional_policy(`
@@ -49387,7 +49438,7 @@ index 55f2009..51ec888 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +339,7 @@ optional_policy(`
+@@ -296,7 +343,7 @@ optional_policy(`
')
optional_policy(`
@@ -49396,7 +49447,7 @@ index 55f2009..51ec888 100644
')
optional_policy(`
-@@ -307,6 +350,7 @@ optional_policy(`
+@@ -307,6 +354,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -49404,7 +49455,7 @@ index 55f2009..51ec888 100644
')
optional_policy(`
-@@ -320,14 +364,20 @@ optional_policy(`
+@@ -320,14 +368,20 @@ optional_policy(`
')
optional_policy(`
@@ -49430,7 +49481,7 @@ index 55f2009..51ec888 100644
')
optional_policy(`
-@@ -357,6 +407,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -357,6 +411,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -54148,7 +54199,7 @@ index 0000000..a437f80
+files_read_config_files(openshift_domain)
diff --git a/openshift.fc b/openshift.fc
new file mode 100644
-index 0000000..a7905db
+index 0000000..db2369b
--- /dev/null
+++ b/openshift.fc
@@ -0,0 +1,27 @@
@@ -54167,7 +54218,7 @@ index 0000000..a7905db
+/var/lib/openshift/.*/\.tmp(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
+/var/lib/openshift/.*/\.sandbox(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
+
-+/var/log/mcollective\.log -- gen_context(system_u:object_r:openshift_log_t,s0)
++/var/log/mcollective\.log.* -- gen_context(system_u:object_r:openshift_log_t,s0)
+/var/log/openshift(/.*)? gen_context(system_u:object_r:openshift_log_t,s0)
+
+/usr/s?bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
@@ -56258,7 +56309,7 @@ index 9b15730..eedd136 100644
+ ')
')
diff --git a/openvswitch.te b/openvswitch.te
-index 44dbc99..128ff1f 100644
+index 44dbc99..75f7ebb 100644
--- a/openvswitch.te
+++ b/openvswitch.te
@@ -9,11 +9,8 @@ type openvswitch_t;
@@ -56299,12 +56350,12 @@ index 44dbc99..128ff1f 100644
+allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow openvswitch_t self:netlink_socket create_socket_perms;
+allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
-+
-+can_exec(openvswitch_t, openvswitch_exec_t)
-manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
-manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
-manage_lnk_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
++can_exec(openvswitch_t, openvswitch_exec_t)
++
+manage_dirs_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
+manage_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
+manage_lnk_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
@@ -56322,7 +56373,7 @@ index 44dbc99..128ff1f 100644
manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
-@@ -65,33 +67,38 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
+@@ -65,33 +67,40 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
@@ -56330,12 +56381,13 @@ index 44dbc99..128ff1f 100644
-
kernel_read_network_state(openvswitch_t)
kernel_read_system_state(openvswitch_t)
--
++kernel_request_load_module(openvswitch_t)
+
-corenet_all_recvfrom_unlabeled(openvswitch_t)
-corenet_all_recvfrom_netlabel(openvswitch_t)
-corenet_raw_sendrecv_generic_if(openvswitch_t)
-corenet_raw_sendrecv_generic_node(openvswitch_t)
-+kernel_request_load_module(openvswitch_t)
++corenet_tcp_connect_openflow_port(openvswitch_t)
corecmd_exec_bin(openvswitch_t)
+corecmd_exec_shell(openvswitch_t)
@@ -79078,7 +79130,7 @@ index abeb302..61b21d2 100644
')
diff --git a/rtas.fc b/rtas.fc
new file mode 100644
-index 0000000..25d96cb
+index 0000000..4552e91
--- /dev/null
+++ b/rtas.fc
@@ -0,0 +1,13 @@
@@ -79090,8 +79142,8 @@ index 0000000..25d96cb
+/var/lock/.*librtas -- gen_context(system_u:object_r:rtas_errd_var_lock_t)
+
+/var/log/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_log_t)
-+/var/log/platform -- gen_context(system_u:object_r:rtas_errd_log_t)
-+/var/log/epow_status -- gen_context(system_u:object_r:rtas_errd_log_t)
++/var/log/platform.* -- gen_context(system_u:object_r:rtas_errd_log_t)
++/var/log/epow_status.* -- gen_context(system_u:object_r:rtas_errd_log_t)
+
+/var/run/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_var_run_t,s0)
+
@@ -83243,7 +83295,7 @@ index 98c9e0a..df51942 100644
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
-index 299756b..1c63069 100644
+index 299756b..0e798f1 100644
--- a/sblim.te
+++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
@@ -83280,10 +83332,12 @@ index 299756b..1c63069 100644
######################################
#
# Common sblim domain local policy
-@@ -32,31 +39,36 @@ manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
+@@ -31,32 +38,38 @@ allow sblim_domain self:tcp_socket create_stream_socket_perms;
+ manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
-
++files_pid_filetrans(sblim_domain, sblim_var_run_t,dir,"gather")
++
+manage_dirs_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
+manage_files_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
+manage_lnk_files_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
@@ -83293,7 +83347,7 @@ index 299756b..1c63069 100644
+manage_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
+manage_sock_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
+files_tmp_filetrans(sblim_domain, sblim_tmp_t, { dir file sock_file})
-+
+
kernel_read_network_state(sblim_domain)
-kernel_read_system_state(sblim_domain)
@@ -83327,7 +83381,7 @@ index 299756b..1c63069 100644
allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
allow sblim_gatherd_t self:unix_stream_socket { accept listen };
-@@ -84,6 +96,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
+@@ -84,6 +97,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
init_read_utmp(sblim_gatherd_t)
@@ -83336,7 +83390,7 @@ index 299756b..1c63069 100644
sysnet_dns_name_resolve(sblim_gatherd_t)
term_getattr_pty_fs(sblim_gatherd_t)
-@@ -103,8 +117,9 @@ optional_policy(`
+@@ -103,8 +118,9 @@ optional_policy(`
')
optional_policy(`
@@ -83347,7 +83401,7 @@ index 299756b..1c63069 100644
')
optional_policy(`
-@@ -117,6 +132,32 @@ optional_policy(`
+@@ -117,6 +133,32 @@ optional_policy(`
# Reposd local policy
#
@@ -86653,7 +86707,7 @@ index 634c6b4..e1edfd9 100644
########################################
diff --git a/sosreport.te b/sosreport.te
-index f2f507d..065cb98 100644
+index f2f507d..399c345 100644
--- a/sosreport.te
+++ b/sosreport.te
@@ -13,15 +13,15 @@ type sosreport_exec_t;
@@ -86815,7 +86869,15 @@ index f2f507d..065cb98 100644
')
optional_policy(`
-@@ -151,9 +199,25 @@ optional_policy(`
+@@ -147,13 +195,33 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ prelink_domtrans(sosreport_t)
++')
++
++optional_policy(`
+ pulseaudio_run(sosreport_t, sosreport_roles)
')
optional_policy(`
@@ -95001,7 +95063,7 @@ index 3d11c6a..b19a117 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index a4f20bc..9bad8b9 100644
+index a4f20bc..6351bcb 100644
--- a/virt.fc
+++ b/virt.fc
@@ -1,51 +1,92 @@
@@ -95133,7 +95195,7 @@ index a4f20bc..9bad8b9 100644
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+
-+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
++/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
index facdee8..3ad56e3 100644