diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 73387ff..b8c55f3 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -765,7 +765,7 @@ index 66e85ea..d02654d 100644
## user domains.
##
diff --git a/policy/global_tunables b/policy/global_tunables
-index 4705ab6..629fe1b 100644
+index 4705ab6..b7e7ea5 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -6,52 +6,59 @@
@@ -854,7 +854,7 @@ index 4705ab6..629fe1b 100644
## Allow any files/directories to be exported read/write via NFS.
##
##
-@@ -105,9 +103,24 @@ gen_tunable(use_samba_home_dirs,false)
+@@ -105,9 +103,30 @@ gen_tunable(use_samba_home_dirs,false)
##
##
@@ -880,6 +880,12 @@ index 4705ab6..629fe1b 100644
-gen_tunable(user_tcp_server,false)
+gen_tunable(selinuxuser_tcp_server,false)
+
++##
++##
++## Allow the mount commands to mount any directory or file.
++##
++##
++gen_tunable(mount_anyfile, false)
diff --git a/policy/mcs b/policy/mcs
index 216b3d1..81bc8c4 100644
--- a/policy/mcs
@@ -2865,7 +2871,7 @@ index d555767..4165b4d 100644
+ stapserver_manage_lib(useradd_t)
+')
diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
-index 1dc7a85..dcc6337 100644
+index 1dc7a85..c6f4da0 100644
--- a/policy/modules/apps/seunshare.if
+++ b/policy/modules/apps/seunshare.if
@@ -43,18 +43,18 @@ interface(`seunshare_run',`
@@ -2894,7 +2900,7 @@ index 1dc7a85..dcc6337 100644
##
##
## Role allowed access.
-@@ -66,15 +66,43 @@ interface(`seunshare_run',`
+@@ -66,15 +66,44 @@ interface(`seunshare_run',`
##
##
#
@@ -2933,6 +2939,7 @@ index 1dc7a85..dcc6337 100644
+ ')
+
+ ps_process_pattern($3, $1_seunshare_t)
++ dontaudit $1_seunshare_t $3:file read;
+ allow $3 $1_seunshare_t:process signal_perms;
+ allow $3 $1_seunshare_t:fd use;
+
@@ -8382,7 +8389,7 @@ index 6a1e4d1..adafd25 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..5376a48 100644
+index cf04cb5..19c3e01 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8510,7 +8517,7 @@ index cf04cb5..5376a48 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +229,275 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +229,287 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -8531,6 +8538,10 @@ index cf04cb5..5376a48 100644
+')
+
+optional_policy(`
++ mandb_filetrans_named_home_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ seutil_filetrans_named_content(unconfined_domain_type)
+')
+
@@ -8600,6 +8611,10 @@ index cf04cb5..5376a48 100644
+')
+
+optional_policy(`
++ iscsi_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ kerberos_filetrans_named_content(unconfined_domain_type)
+')
+
@@ -8608,6 +8623,10 @@ index cf04cb5..5376a48 100644
+')
+
+optional_policy(`
++ mplayer_filetrans_home_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ modules_filetrans_named_content(unconfined_domain_type)
+')
+
@@ -20774,7 +20793,7 @@ index d1f64a0..97140ee 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..f0080ba 100644
+index 6bf0ecc..18223e7 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -21246,7 +21265,7 @@ index 6bf0ecc..f0080ba 100644
')
########################################
-@@ -765,11 +904,71 @@ interface(`xserver_manage_xdm_spool_files',`
+@@ -765,11 +904,91 @@ interface(`xserver_manage_xdm_spool_files',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -21262,6 +21281,26 @@ index 6bf0ecc..f0080ba 100644
+
+########################################
+##
++## Allow domain to append XDM unix domain
++## stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++
++interface(`xserver_append_xdm_stream_socket',`
++ gen_require(`
++ type xdm_t;
++ ')
++
++ allow $1 xdm_t:unix_stream_socket append;
++')
++
++########################################
++##
+## Read XDM files in user home directories.
+##
+##
@@ -21320,7 +21359,7 @@ index 6bf0ecc..f0080ba 100644
')
########################################
-@@ -793,6 +992,25 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -793,6 +1012,25 @@ interface(`xserver_read_xdm_rw_config',`
########################################
##
@@ -21346,7 +21385,7 @@ index 6bf0ecc..f0080ba 100644
## Set the attributes of XDM temporary directories.
##
##
-@@ -806,7 +1024,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -806,7 +1044,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -21373,7 +21412,7 @@ index 6bf0ecc..f0080ba 100644
')
########################################
-@@ -846,7 +1082,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -846,7 +1102,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -21401,7 +21440,7 @@ index 6bf0ecc..f0080ba 100644
')
########################################
-@@ -869,6 +1124,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -869,6 +1144,24 @@ interface(`xserver_read_xdm_lib_files',`
########################################
##
@@ -21426,7 +21465,7 @@ index 6bf0ecc..f0080ba 100644
## Make an X session script an entrypoint for the specified domain.
##
##
-@@ -938,7 +1211,26 @@ interface(`xserver_getattr_log',`
+@@ -938,7 +1231,26 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -21454,7 +21493,7 @@ index 6bf0ecc..f0080ba 100644
')
########################################
-@@ -957,7 +1249,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -957,7 +1269,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -21463,7 +21502,7 @@ index 6bf0ecc..f0080ba 100644
')
########################################
-@@ -1004,6 +1296,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -1004,6 +1316,45 @@ interface(`xserver_read_xkb_libs',`
########################################
##
@@ -21509,7 +21548,7 @@ index 6bf0ecc..f0080ba 100644
## Read xdm temporary files.
##
##
-@@ -1017,7 +1348,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -1017,7 +1368,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -21518,113 +21557,73 @@ index 6bf0ecc..f0080ba 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1079,53 +1410,91 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1079,7 +1430,43 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
##
-## Do not audit attempts to get the attributes of
--## xdm temporary named sockets.
+## Create, read, write, and delete xdm temporary dirs.
- ##
- ##
- ##
--## Domain to not audit.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
++##
++##
++#
+interface(`xserver_relabel_xdm_tmp_dirs',`
- gen_require(`
- type xdm_tmp_t;
- ')
-
-- dontaudit $1 xdm_tmp_t:sock_file getattr;
-+ allow $1 xdm_tmp_t:dir relabel_dir_perms;
- ')
-
- ########################################
- ##
--## Execute the X server in the X server domain.
-+## Create, read, write, and delete xdm temporary dirs.
- ##
- ##
- ##
--## Domain allowed to transition.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`xserver_domtrans',`
-+interface(`xserver_manage_xdm_tmp_dirs',`
- gen_require(`
-- type xserver_t, xserver_exec_t;
-+ type xdm_tmp_t;
- ')
-
-- allow $1 xserver_t:process siginh;
-- domtrans_pattern($1, xserver_exec_t, xserver_t)
-+ manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t)
- ')
-
- ########################################
- ##
--## Signal X servers
-+## Do not audit attempts to get the attributes of
-+## xdm temporary named sockets.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`xserver_signal',`
-+interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
-+ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
++ allow $1 xdm_tmp_t:dir relabel_dir_perms;
+')
+
+########################################
+##
-+## Execute the X server in the X server domain.
++## Create, read, write, and delete xdm temporary dirs.
+##
+##
+##
-+## Domain allowed to transition.
++## Domain allowed access.
+##
+##
+#
-+interface(`xserver_domtrans',`
++interface(`xserver_manage_xdm_tmp_dirs',`
+ gen_require(`
-+ type xserver_t, xserver_exec_t;
++ type xdm_tmp_t;
+ ')
+
-+ allow $1 xserver_t:process siginh;
-+ domtrans_pattern($1, xserver_exec_t, xserver_t)
-+
-+ allow xserver_t $1:process getpgid;
++ manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t)
+')
+
+########################################
+##
-+## Signal X servers
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_signal',`
- gen_require(`
- type xserver_t;
++## Do not audit attempts to get the attributes of
+ ## xdm temporary named sockets.
+ ##
+ ##
+@@ -1093,7 +1480,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+ type xdm_tmp_t;
')
-@@ -1210,6 +1579,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
+
+- dontaudit $1 xdm_tmp_t:sock_file getattr;
++ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
+ ')
+
+ ########################################
+@@ -1111,8 +1498,10 @@ interface(`xserver_domtrans',`
+ type xserver_t, xserver_exec_t;
+ ')
+
+- allow $1 xserver_t:process siginh;
++ allow $1 xserver_t:process siginh;
+ domtrans_pattern($1, xserver_exec_t, xserver_t)
++
++ allow xserver_t $1:process getpgid;
+ ')
+
+ ########################################
+@@ -1210,6 +1599,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
########################################
##
@@ -21650,7 +21649,7 @@ index 6bf0ecc..f0080ba 100644
## Connect to the X server over a unix domain
## stream socket.
##
-@@ -1226,6 +1614,26 @@ interface(`xserver_stream_connect',`
+@@ -1226,6 +1634,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -21677,7 +21676,7 @@ index 6bf0ecc..f0080ba 100644
')
########################################
-@@ -1251,7 +1659,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1679,7 @@ interface(`xserver_read_tmp_files',`
##
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -21686,7 +21685,7 @@ index 6bf0ecc..f0080ba 100644
##
##
##
-@@ -1261,13 +1669,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1689,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -21711,7 +21710,7 @@ index 6bf0ecc..f0080ba 100644
')
########################################
-@@ -1284,10 +1702,604 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1722,604 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -26945,7 +26944,7 @@ index 24e7804..d0780a9 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..71d7cb6 100644
+index dd3be8d..8cda2bb 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -27185,7 +27184,7 @@ index dd3be8d..71d7cb6 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +273,178 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +273,182 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -27213,9 +27212,14 @@ index dd3be8d..71d7cb6 100644
+
+optional_policy(`
+ gnome_filetrans_home_content(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- auth_rw_login_records(init_t)
++ iscsi_read_lib_files(init_t)
+ ')
+
+ optional_policy(`
+ modutils_domtrans_insmod(init_t)
+ modutils_list_module_config(init_t)
+')
@@ -27344,14 +27348,13 @@ index dd3be8d..71d7cb6 100644
+optional_policy(`
+ lvm_rw_pipes(init_t)
+ lvm_read_config(init_t)
- ')
-
- optional_policy(`
-- auth_rw_login_records(init_t)
++')
++
++optional_policy(`
+ consolekit_manage_log(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
@@ -27372,7 +27375,7 @@ index dd3be8d..71d7cb6 100644
')
optional_policy(`
-@@ -216,6 +452,27 @@ optional_policy(`
+@@ -216,6 +456,27 @@ optional_policy(`
')
optional_policy(`
@@ -27400,7 +27403,7 @@ index dd3be8d..71d7cb6 100644
unconfined_domain(init_t)
')
-@@ -225,8 +482,9 @@ optional_policy(`
+@@ -225,8 +486,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -27412,7 +27415,7 @@ index dd3be8d..71d7cb6 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +515,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +519,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -27429,7 +27432,7 @@ index dd3be8d..71d7cb6 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +540,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +544,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -27472,7 +27475,7 @@ index dd3be8d..71d7cb6 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +577,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +581,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -27484,7 +27487,7 @@ index dd3be8d..71d7cb6 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +589,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +593,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -27495,7 +27498,7 @@ index dd3be8d..71d7cb6 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +600,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +604,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -27505,7 +27508,7 @@ index dd3be8d..71d7cb6 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +609,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +613,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -27513,7 +27516,7 @@ index dd3be8d..71d7cb6 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +616,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +620,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -27521,7 +27524,7 @@ index dd3be8d..71d7cb6 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +624,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +628,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -27539,7 +27542,7 @@ index dd3be8d..71d7cb6 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +642,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +646,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -27553,7 +27556,7 @@ index dd3be8d..71d7cb6 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +657,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +661,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -27567,7 +27570,7 @@ index dd3be8d..71d7cb6 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +670,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +674,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -27575,7 +27578,7 @@ index dd3be8d..71d7cb6 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +682,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +686,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -27583,7 +27586,7 @@ index dd3be8d..71d7cb6 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +701,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +705,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -27607,7 +27610,7 @@ index dd3be8d..71d7cb6 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +734,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +738,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -27615,7 +27618,7 @@ index dd3be8d..71d7cb6 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +768,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +772,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -27626,7 +27629,7 @@ index dd3be8d..71d7cb6 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +792,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +796,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -27635,7 +27638,7 @@ index dd3be8d..71d7cb6 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +807,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +811,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -27643,7 +27646,7 @@ index dd3be8d..71d7cb6 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +828,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +832,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -27651,7 +27654,7 @@ index dd3be8d..71d7cb6 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +838,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +842,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -27696,7 +27699,7 @@ index dd3be8d..71d7cb6 100644
')
optional_policy(`
-@@ -558,14 +883,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +887,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -27728,7 +27731,7 @@ index dd3be8d..71d7cb6 100644
')
')
-@@ -576,6 +918,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +922,39 @@ ifdef(`distro_suse',`
')
')
@@ -27768,7 +27771,7 @@ index dd3be8d..71d7cb6 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +963,8 @@ optional_policy(`
+@@ -588,6 +967,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -27777,7 +27780,7 @@ index dd3be8d..71d7cb6 100644
')
optional_policy(`
-@@ -609,6 +986,7 @@ optional_policy(`
+@@ -609,6 +990,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -27785,7 +27788,7 @@ index dd3be8d..71d7cb6 100644
')
optional_policy(`
-@@ -625,6 +1003,17 @@ optional_policy(`
+@@ -625,6 +1007,17 @@ optional_policy(`
')
optional_policy(`
@@ -27803,7 +27806,7 @@ index dd3be8d..71d7cb6 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1030,13 @@ optional_policy(`
+@@ -641,9 +1034,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -27817,7 +27820,7 @@ index dd3be8d..71d7cb6 100644
')
optional_policy(`
-@@ -656,15 +1049,11 @@ optional_policy(`
+@@ -656,15 +1053,11 @@ optional_policy(`
')
optional_policy(`
@@ -27835,7 +27838,7 @@ index dd3be8d..71d7cb6 100644
')
optional_policy(`
-@@ -685,6 +1074,15 @@ optional_policy(`
+@@ -685,6 +1078,15 @@ optional_policy(`
')
optional_policy(`
@@ -27851,7 +27854,7 @@ index dd3be8d..71d7cb6 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1123,7 @@ optional_policy(`
+@@ -725,6 +1127,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -27859,7 +27862,7 @@ index dd3be8d..71d7cb6 100644
')
optional_policy(`
-@@ -742,7 +1141,14 @@ optional_policy(`
+@@ -742,7 +1145,14 @@ optional_policy(`
')
optional_policy(`
@@ -27874,7 +27877,7 @@ index dd3be8d..71d7cb6 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1171,10 @@ optional_policy(`
+@@ -765,6 +1175,10 @@ optional_policy(`
')
optional_policy(`
@@ -27885,7 +27888,7 @@ index dd3be8d..71d7cb6 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1184,20 @@ optional_policy(`
+@@ -774,10 +1188,20 @@ optional_policy(`
')
optional_policy(`
@@ -27906,7 +27909,7 @@ index dd3be8d..71d7cb6 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1206,10 @@ optional_policy(`
+@@ -786,6 +1210,10 @@ optional_policy(`
')
optional_policy(`
@@ -27917,7 +27920,7 @@ index dd3be8d..71d7cb6 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1231,6 @@ optional_policy(`
+@@ -807,8 +1235,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -27926,7 +27929,7 @@ index dd3be8d..71d7cb6 100644
')
optional_policy(`
-@@ -817,6 +1239,10 @@ optional_policy(`
+@@ -817,6 +1243,10 @@ optional_policy(`
')
optional_policy(`
@@ -27937,7 +27940,7 @@ index dd3be8d..71d7cb6 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1252,12 @@ optional_policy(`
+@@ -826,10 +1256,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -27950,7 +27953,7 @@ index dd3be8d..71d7cb6 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1284,27 @@ optional_policy(`
+@@ -856,12 +1288,27 @@ optional_policy(`
')
optional_policy(`
@@ -27979,7 +27982,7 @@ index dd3be8d..71d7cb6 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1314,18 @@ optional_policy(`
+@@ -871,6 +1318,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -27998,7 +28001,7 @@ index dd3be8d..71d7cb6 100644
')
optional_policy(`
-@@ -886,6 +1341,10 @@ optional_policy(`
+@@ -886,6 +1345,10 @@ optional_policy(`
')
optional_policy(`
@@ -28009,7 +28012,7 @@ index dd3be8d..71d7cb6 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1355,196 @@ optional_policy(`
+@@ -896,3 +1359,196 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -28436,7 +28439,7 @@ index 0d4c8d3..a89c4a2 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..b6e9ebc 100644
+index 9e54bf9..468dc31 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -28462,7 +28465,7 @@ index 9e54bf9..b6e9ebc 100644
allow ipsec_t self:fifo_file read_fifo_file_perms;
allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
+allow ipsec_t self:netlink_selinux_socket create_socket_perms;
-+allow ipsec_t self:unix_stream_socket create_stream_socket_perms;
++allow ipsec_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
@@ -28737,7 +28740,7 @@ index c42fbc3..174cfdb 100644
##
## Set the attributes of iptables config files.
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index 5dfa44b..022d91d 100644
+index 5dfa44b..2502d06 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
@@ -28834,15 +28837,20 @@ index 5dfa44b..022d91d 100644
')
optional_policy(`
-@@ -124,6 +129,7 @@ optional_policy(`
+@@ -124,6 +129,12 @@ optional_policy(`
optional_policy(`
psad_rw_tmp_files(iptables_t)
+ psad_write_log(iptables_t)
++')
++
++optional_policy(`
++ quantum_rw_inherited_pipes(iptables_t)
++ quantum_sigchld(iptables_t)
')
optional_policy(`
-@@ -135,9 +141,9 @@ optional_policy(`
+@@ -135,9 +146,9 @@ optional_policy(`
')
optional_policy(`
@@ -29526,7 +29534,7 @@ index 0e3c2a9..ea9bd57 100644
+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
+')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index c04ac46..e06286c 100644
+index c04ac46..799d194 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@@ -29650,15 +29658,19 @@ index c04ac46..e06286c 100644
unconfined_shell_domtrans(local_login_t)
')
-@@ -215,6 +211,7 @@ allow sulogin_t self:sem create_sem_perms;
+@@ -215,37 +211,55 @@ allow sulogin_t self:sem create_sem_perms;
allow sulogin_t self:msgq create_msgq_perms;
allow sulogin_t self:msg { send receive };
+kernel_read_crypto_sysctls(sulogin_t)
kernel_read_system_state(sulogin_t)
++dev_getattr_all_chr_files(sulogin_t)
++dev_getattr_all_blk_files(sulogin_t)
++
fs_search_auto_mountpoints(sulogin_t)
-@@ -223,13 +220,16 @@ fs_rw_tmpfs_chr_files(sulogin_t)
+ fs_rw_tmpfs_chr_files(sulogin_t)
+
files_read_etc_files(sulogin_t)
# because file systems are not mounted:
files_dontaudit_search_isid_type_dirs(sulogin_t)
@@ -29675,7 +29687,9 @@ index c04ac46..e06286c 100644
seutil_read_config(sulogin_t)
seutil_read_default_contexts(sulogin_t)
-@@ -238,14 +238,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
+ userdom_use_unpriv_users_fds(sulogin_t)
+
++userdom_search_admin_dir(sulogin_t)
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
@@ -29702,7 +29716,7 @@ index c04ac46..e06286c 100644
init_getpgid(sulogin_t)
', `
allow sulogin_t self:process setexec;
-@@ -256,11 +266,3 @@ ifdef(`sulogin_no_pam', `
+@@ -256,11 +270,3 @@ ifdef(`sulogin_no_pam', `
selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t)
')
@@ -31325,7 +31339,7 @@ index fc28bc3..2960ed7 100644
+ files_var_filetrans($1, public_content_t, dir, "ftp")
+')
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
-index d6293de..3225647 100644
+index d6293de..8f8d80d 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.10.2)
@@ -31336,6 +31350,19 @@ index d6293de..3225647 100644
attribute cert_type;
#
+@@ -48,10 +47,10 @@ files_type(man_cache_t)
+ # Types for public content
+ #
+ type public_content_t; #, customizable;
+-files_type(public_content_t)
++files_mountpoint(public_content_t)
+
+ type public_content_rw_t; #, customizable;
+-files_type(public_content_rw_t)
++files_mountpoint(public_content_rw_t)
+
+ #
+ # Base type for the tests directory.
diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
index 9933677..b155a0d 100644
--- a/policy/modules/system/modutils.fc
@@ -32054,16 +32081,20 @@ index 4584457..e432df3 100644
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 6a50270..8288fd0 100644
+index 6a50270..fa545e7 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
-@@ -10,35 +10,60 @@ policy_module(mount, 1.15.1)
- ## Allow the mount command to mount any directory or file.
- ##
- ##
--gen_tunable(allow_mount_anyfile, false)
-+gen_tunable(mount_anyfile, false)
+@@ -5,40 +5,58 @@ policy_module(mount, 1.15.1)
+ # Declarations
+ #
+-##