diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index fac149d..da6f779 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -8721,7 +8721,7 @@ index 6a1e4d1..84e8030 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..2b917b5 100644
+index cf04cb5..5a40b38 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8858,7 +8858,7 @@ index cf04cb5..2b917b5 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +231,296 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +231,297 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -9027,6 +9027,7 @@ index cf04cb5..2b917b5 100644
+ systemd_login_reboot(unconfined_domain_type)
+ systemd_login_halt(unconfined_domain_type)
+ systemd_login_undefined(unconfined_domain_type)
++ systemd_filetrans_named_content(named_filetrans_domain)
+ systemd_filetrans_named_hostname(named_filetrans_domain)
+')
+
@@ -22814,7 +22815,7 @@ index 6bf0ecc..9b46e11 100644
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..93b05fa 100644
+index 2696452..adbe339 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@@ -23179,7 +23180,7 @@ index 2696452..93b05fa 100644
+ allow xdm_t self:process ptrace;
+')
+
-+allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate };
++allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate transition };
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
@@ -27633,7 +27634,7 @@ index 24e7804..c4155c7 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..df6af48 100644
+index dd3be8d..b717a9e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -27681,7 +27682,7 @@ index dd3be8d..df6af48 100644
# Mark file type as a daemon run directory
attribute daemonrundir;
-@@ -35,12 +57,13 @@ attribute daemonrundir;
+@@ -35,12 +57,14 @@ attribute daemonrundir;
#
# init_t is the domain of the init process.
#
@@ -27690,13 +27691,14 @@ index dd3be8d..df6af48 100644
type init_exec_t;
domain_type(init_t)
domain_entry_file(init_t, init_exec_t)
++domain_role_change_exemption(init_t)
kernel_domtrans_to(init_t, init_exec_t)
role system_r types init_t;
+init_initrc_domain(init_t)
#
# init_var_run_t is the type for /var/run/shutdown.pid.
-@@ -49,6 +72,15 @@ type init_var_run_t;
+@@ -49,6 +73,15 @@ type init_var_run_t;
files_pid_file(init_var_run_t)
#
@@ -27712,7 +27714,7 @@ index dd3be8d..df6af48 100644
# initctl_t is the type of the named pipe created
# by init during initialization. This pipe is used
# to communicate with init.
-@@ -57,7 +89,7 @@ type initctl_t;
+@@ -57,7 +90,7 @@ type initctl_t;
files_type(initctl_t)
mls_trusted_object(initctl_t)
@@ -27721,7 +27723,7 @@ index dd3be8d..df6af48 100644
type initrc_exec_t, init_script_file_type;
domain_type(initrc_t)
domain_entry_file(initrc_t, initrc_exec_t)
-@@ -66,6 +98,8 @@ role system_r types initrc_t;
+@@ -66,6 +99,8 @@ role system_r types initrc_t;
# of the below init_upstart tunable
# but this has a typeattribute in it
corecmd_shell_entry_type(initrc_t)
@@ -27730,7 +27732,7 @@ index dd3be8d..df6af48 100644
type initrc_devpts_t;
term_pty(initrc_devpts_t)
-@@ -98,7 +132,8 @@ ifdef(`enable_mls',`
+@@ -98,7 +133,8 @@ ifdef(`enable_mls',`
#
# Use capabilities. old rule:
@@ -27740,7 +27742,7 @@ index dd3be8d..df6af48 100644
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -110,12 +145,33 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -110,12 +146,33 @@ allow init_t self:fifo_file rw_fifo_file_perms;
# Re-exec itself
can_exec(init_t, init_exec_t)
@@ -27780,7 +27782,7 @@ index dd3be8d..df6af48 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +181,17 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +182,17 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -27799,7 +27801,7 @@ index dd3be8d..df6af48 100644
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
-@@ -139,14 +199,20 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +200,20 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
@@ -27820,7 +27822,7 @@ index dd3be8d..df6af48 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +222,49 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +223,49 @@ fs_list_inotifyfs(init_t)
fs_write_ramfs_sockets(init_t)
mcs_process_set_categories(init_t)
@@ -27873,7 +27875,7 @@ index dd3be8d..df6af48 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +273,182 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +274,182 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -28064,7 +28066,7 @@ index dd3be8d..df6af48 100644
')
optional_policy(`
-@@ -216,7 +456,29 @@ optional_policy(`
+@@ -216,7 +457,29 @@ optional_policy(`
')
optional_policy(`
@@ -28094,7 +28096,7 @@ index dd3be8d..df6af48 100644
')
########################################
-@@ -225,8 +487,9 @@ optional_policy(`
+@@ -225,8 +488,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -28106,7 +28108,7 @@ index dd3be8d..df6af48 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +520,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +521,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -28123,7 +28125,7 @@ index dd3be8d..df6af48 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +545,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +546,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -28166,7 +28168,7 @@ index dd3be8d..df6af48 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +582,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +583,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -28178,7 +28180,7 @@ index dd3be8d..df6af48 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +594,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +595,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -28189,7 +28191,7 @@ index dd3be8d..df6af48 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +605,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +606,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -28199,7 +28201,7 @@ index dd3be8d..df6af48 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +614,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +615,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -28207,7 +28209,7 @@ index dd3be8d..df6af48 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +621,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +622,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -28215,7 +28217,7 @@ index dd3be8d..df6af48 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +629,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +630,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -28233,7 +28235,7 @@ index dd3be8d..df6af48 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +647,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +648,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -28247,7 +28249,7 @@ index dd3be8d..df6af48 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +662,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +663,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -28261,7 +28263,7 @@ index dd3be8d..df6af48 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +675,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +676,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -28269,7 +28271,7 @@ index dd3be8d..df6af48 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +687,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +688,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -28277,7 +28279,7 @@ index dd3be8d..df6af48 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +706,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +707,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -28301,7 +28303,7 @@ index dd3be8d..df6af48 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +739,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +740,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -28309,7 +28311,7 @@ index dd3be8d..df6af48 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +773,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +774,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -28320,7 +28322,7 @@ index dd3be8d..df6af48 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +797,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +798,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -28329,7 +28331,7 @@ index dd3be8d..df6af48 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +812,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +813,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -28337,7 +28339,7 @@ index dd3be8d..df6af48 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +833,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +834,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -28345,7 +28347,7 @@ index dd3be8d..df6af48 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +843,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +844,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -28390,7 +28392,7 @@ index dd3be8d..df6af48 100644
')
optional_policy(`
-@@ -558,14 +888,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +889,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -28422,7 +28424,7 @@ index dd3be8d..df6af48 100644
')
')
-@@ -576,6 +923,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +924,39 @@ ifdef(`distro_suse',`
')
')
@@ -28462,7 +28464,7 @@ index dd3be8d..df6af48 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +968,8 @@ optional_policy(`
+@@ -588,6 +969,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -28471,7 +28473,7 @@ index dd3be8d..df6af48 100644
')
optional_policy(`
-@@ -609,6 +991,7 @@ optional_policy(`
+@@ -609,6 +992,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -28479,7 +28481,7 @@ index dd3be8d..df6af48 100644
')
optional_policy(`
-@@ -625,6 +1008,17 @@ optional_policy(`
+@@ -625,6 +1009,17 @@ optional_policy(`
')
optional_policy(`
@@ -28497,7 +28499,7 @@ index dd3be8d..df6af48 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1035,13 @@ optional_policy(`
+@@ -641,9 +1036,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -28511,7 +28513,7 @@ index dd3be8d..df6af48 100644
')
optional_policy(`
-@@ -656,15 +1054,11 @@ optional_policy(`
+@@ -656,15 +1055,11 @@ optional_policy(`
')
optional_policy(`
@@ -28529,7 +28531,7 @@ index dd3be8d..df6af48 100644
')
optional_policy(`
-@@ -685,6 +1079,15 @@ optional_policy(`
+@@ -685,6 +1080,15 @@ optional_policy(`
')
optional_policy(`
@@ -28545,7 +28547,7 @@ index dd3be8d..df6af48 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1128,7 @@ optional_policy(`
+@@ -725,6 +1129,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -28553,7 +28555,7 @@ index dd3be8d..df6af48 100644
')
optional_policy(`
-@@ -742,7 +1146,13 @@ optional_policy(`
+@@ -742,7 +1147,13 @@ optional_policy(`
')
optional_policy(`
@@ -28568,7 +28570,7 @@ index dd3be8d..df6af48 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1175,10 @@ optional_policy(`
+@@ -765,6 +1176,10 @@ optional_policy(`
')
optional_policy(`
@@ -28579,7 +28581,7 @@ index dd3be8d..df6af48 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1188,20 @@ optional_policy(`
+@@ -774,10 +1189,20 @@ optional_policy(`
')
optional_policy(`
@@ -28600,7 +28602,7 @@ index dd3be8d..df6af48 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1210,10 @@ optional_policy(`
+@@ -786,6 +1211,10 @@ optional_policy(`
')
optional_policy(`
@@ -28611,7 +28613,7 @@ index dd3be8d..df6af48 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1235,6 @@ optional_policy(`
+@@ -807,8 +1236,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -28620,7 +28622,7 @@ index dd3be8d..df6af48 100644
')
optional_policy(`
-@@ -817,6 +1243,10 @@ optional_policy(`
+@@ -817,6 +1244,10 @@ optional_policy(`
')
optional_policy(`
@@ -28631,7 +28633,7 @@ index dd3be8d..df6af48 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1256,12 @@ optional_policy(`
+@@ -826,10 +1257,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -28644,7 +28646,7 @@ index dd3be8d..df6af48 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1288,28 @@ optional_policy(`
+@@ -856,12 +1289,28 @@ optional_policy(`
')
optional_policy(`
@@ -28674,7 +28676,7 @@ index dd3be8d..df6af48 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1319,18 @@ optional_policy(`
+@@ -871,6 +1320,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -28693,7 +28695,7 @@ index dd3be8d..df6af48 100644
')
optional_policy(`
-@@ -886,6 +1346,10 @@ optional_policy(`
+@@ -886,6 +1347,10 @@ optional_policy(`
')
optional_policy(`
@@ -28704,7 +28706,7 @@ index dd3be8d..df6af48 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1360,196 @@ optional_policy(`
+@@ -896,3 +1361,196 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -29489,7 +29491,7 @@ index c42fbc3..174cfdb 100644
## <summary>
## Set the attributes of iptables config files.
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index 5dfa44b..4abf7fd 100644
+index 5dfa44b..cafb28e 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
@@ -29600,8 +29602,8 @@ index 5dfa44b..4abf7fd 100644
+')
+
+optional_policy(`
-+ quantum_rw_inherited_pipes(iptables_t)
-+ quantum_sigchld(iptables_t)
++ neutron_rw_inherited_pipes(iptables_t)
++ neutron_sigchld(iptables_t)
')
optional_policy(`
@@ -33463,7 +33465,7 @@ index d43f3b1..870bc36 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..9fcc183 100644
+index 3822072..270bde3 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',`
@@ -33869,7 +33871,7 @@ index 3822072..9fcc183 100644
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
-@@ -1017,11 +1310,66 @@ interface(`seutil_domtrans_semanage',`
+@@ -1017,11 +1310,67 @@ interface(`seutil_domtrans_semanage',`
#
interface(`seutil_run_semanage',`
gen_require(`
@@ -33935,12 +33937,15 @@ index 3822072..9fcc183 100644
+ files_search_etc($1)
+ list_dirs_pattern($1, selinux_config_t, semanage_store_t)
+ read_files_pattern($1, semanage_store_t, semanage_store_t)
++ read_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
')
########################################
-@@ -1044,6 +1392,9 @@ interface(`seutil_manage_module_store',`
+@@ -1043,7 +1392,11 @@ interface(`seutil_manage_module_store',`
+ files_search_etc($1)
manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
manage_files_pattern($1, semanage_store_t, semanage_store_t)
++ manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active")
+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous")
@@ -33948,7 +33953,7 @@ index 3822072..9fcc183 100644
')
#######################################
-@@ -1137,3 +1488,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1137,3 +1490,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -39056,7 +39061,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..fc2fb65 100644
+index 3c5dba7..c4bc032 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -41746,7 +41751,7 @@ index 3c5dba7..fc2fb65 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3431,11 +4227,1516 @@ interface(`userdom_create_all_users_keys',`
+@@ -3431,11 +4227,1518 @@ interface(`userdom_create_all_users_keys',`
## </summary>
## </param>
#
@@ -42659,6 +42664,8 @@ index 3c5dba7..fc2fb65 100644
+
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
++ userdom_admin_home_dir_filetrans($1, home_cert_t, dir, ".pki")
++ userdom_admin_home_dir_filetrans($1, home_cert_t, dir, ".cert")
+')
+
+#######################################
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 04f1130..4595712 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -2682,10 +2682,10 @@ index 0000000..df5b3be
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
-index 0000000..0c9dc73
+index 0000000..e10fe0d
--- /dev/null
+++ b/antivirus.te
-@@ -0,0 +1,257 @@
+@@ -0,0 +1,261 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
@@ -2783,14 +2783,12 @@ index 0000000..0c9dc73
+
+can_exec(antivirus_domain, antivirus_exec_t)
+
++kernel_read_network_state(antivirus_t)
+kernel_read_net_sysctls(antivirus_t)
+kernel_read_kernel_sysctls(antivirus_domain)
+kernel_read_sysctl(antivirus_domain)
+kernel_read_system_state(antivirus_t)
+
-+kernel_dontaudit_list_proc(antivirus_domain)
-+kernel_dontaudit_read_proc_symlinks(antivirus_domain)
-+
+corecmd_exec_bin(antivirus_domain)
+corecmd_exec_shell(antivirus_domain)
+
@@ -2827,6 +2825,10 @@ index 0000000..0c9dc73
+corenet_tcp_connect_http_port(antivirus_domain)
+corenet_tcp_sendrecv_http_port(antivirus_domain)
+
++corenet_sendrecv_http_cache_client_packets(antivirus_domain)
++corenet_tcp_connect_http_cache_port(antivirus_domain)
++corenet_tcp_sendrecv_http_cache_port(antivirus_domain)
++
+corenet_sendrecv_snmp_client_packets(antivirus_domain)
+corenet_tcp_connect_snmp_port(antivirus_domain)
+
@@ -2851,6 +2853,7 @@ index 0000000..0c9dc73
+init_read_state(antivirus_domain)
+init_read_utmp(antivirus_domain)
+init_stream_connect_script(antivirus_domain)
++init_dontaudit_write_utmp(antivirus_domain)
+
+logging_send_syslog_msg(antivirus_t)
+
@@ -2858,6 +2861,7 @@ index 0000000..0c9dc73
+
+sysnet_use_ldap(antivirus_domain)
+
++userdom_stream_connect(antivirus_domain)
+userdom_dontaudit_search_user_home_dirs(antivirus_domain)
+
+tunable_policy(`antivirus_can_scan_system',`
@@ -9204,10 +9208,10 @@ index 02fefaa..fbcef10 100644
+ ')
')
diff --git a/boinc.te b/boinc.te
-index 7c92aa1..6b6cd51 100644
+index 7c92aa1..47619ff 100644
--- a/boinc.te
+++ b/boinc.te
-@@ -1,11 +1,13 @@
+@@ -1,11 +1,20 @@
-policy_module(boinc, 1.0.3)
+policy_module(boinc, 1.0.0)
@@ -9217,13 +9221,20 @@ index 7c92aa1..6b6cd51 100644
#
-type boinc_t;
++## <desc>
++## <p>
++## Allow boinc_domain execmem/execstack.
++## </p>
++## </desc>
++gen_tunable(boinc_execmem, true)
++
+attribute boinc_domain;
+
+type boinc_t, boinc_domain;
type boinc_exec_t;
init_daemon_domain(boinc_t, boinc_exec_t)
-@@ -21,31 +23,66 @@ files_tmpfs_file(boinc_tmpfs_t)
+@@ -21,31 +30,69 @@ files_tmpfs_file(boinc_tmpfs_t)
type boinc_var_lib_t;
files_type(boinc_var_lib_t)
@@ -9255,7 +9266,6 @@ index 7c92aa1..6b6cd51 100644
+allow boinc_domain self:fifo_file rw_fifo_file_perms;
+allow boinc_domain self:process signal;
+allow boinc_domain self:sem create_sem_perms;
-+allow boinc_domain self:process execmem;
+
+manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
@@ -9277,6 +9287,10 @@ index 7c92aa1..6b6cd51 100644
+
+miscfiles_read_fonts(boinc_domain)
+
++tunable_policy(`boinc_execmem',`
++ allow boinc_domain self:process { execstack execmem };
++')
++
+optional_policy(`
+ sysnet_dns_name_resolve(boinc_domain)
+')
@@ -9299,7 +9313,7 @@ index 7c92aa1..6b6cd51 100644
manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
-@@ -54,74 +91,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+@@ -54,74 +101,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
@@ -9396,7 +9410,7 @@ index 7c92aa1..6b6cd51 100644
term_getattr_all_ptys(boinc_t)
term_getattr_unallocated_ttys(boinc_t)
-@@ -130,55 +141,67 @@ init_read_utmp(boinc_t)
+@@ -130,55 +151,67 @@ init_read_utmp(boinc_t)
logging_send_syslog_msg(boinc_t)
@@ -11811,10 +11825,10 @@ index 0000000..8ac848b
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
-index 0000000..a56e579
+index 0000000..0f133be
--- /dev/null
+++ b/cloudform.te
-@@ -0,0 +1,296 @@
+@@ -0,0 +1,297 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -11919,6 +11933,8 @@ index 0000000..a56e579
+corecmd_exec_bin(cloud_init_t)
+corecmd_exec_shell(cloud_init_t)
+
++domain_read_all_domains_state(cloud_init_t)
++
+fs_getattr_all_fs(cloud_init_t)
+
+storage_raw_read_fixed_disk(cloud_init_t)
@@ -11978,7 +11994,6 @@ index 0000000..a56e579
+ unconfined_domain(cloud_init_t)
+')
+
-+
+########################################
+#
+# deltacloudd local policy
@@ -13908,7 +13923,7 @@ index c086302..4f33119 100644
/etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
diff --git a/couchdb.if b/couchdb.if
-index 83d6744..b934cb7 100644
+index 83d6744..afa2f78 100644
--- a/couchdb.if
+++ b/couchdb.if
@@ -2,6 +2,44 @@
@@ -13956,7 +13971,7 @@ index 83d6744..b934cb7 100644
## All of the rules required to
## administrate an couchdb environment.
## </summary>
-@@ -10,6 +48,108 @@
+@@ -10,6 +48,127 @@
## Domain allowed access.
## </summary>
## </param>
@@ -14027,6 +14042,25 @@ index 83d6744..b934cb7 100644
+ allow $1 couchdb_var_run_t:file read_file_perms;
+')
+
++#######################################
++## <summary>
++## Search couchdb PID dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`couchdb_search_pid_dirs',`
++ gen_require(`
++ type couchdb_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 couchdb_var_run_t:dir search_dir_perms;
++')
++
+########################################
+## <summary>
+## Execute couchdb server in the couchdb domain.
@@ -14065,7 +14099,7 @@ index 83d6744..b934cb7 100644
## <param name="role">
## <summary>
## Role allowed access.
-@@ -19,14 +159,19 @@
+@@ -19,14 +178,19 @@
#
interface(`couchdb_admin',`
gen_require(`
@@ -14086,7 +14120,7 @@ index 83d6744..b934cb7 100644
init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 couchdb_initrc_exec_t system_r;
-@@ -46,4 +191,13 @@ interface(`couchdb_admin',`
+@@ -46,4 +210,13 @@ interface(`couchdb_admin',`
files_search_pids($1)
admin_pattern($1, couchdb_var_run_t)
@@ -21464,7 +21498,7 @@ index 19aa0b8..1e8b244 100644
+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
')
diff --git a/dnsmasq.te b/dnsmasq.te
-index ba14bcf..0a3179c 100644
+index ba14bcf..a3e6c7c 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
@@ -21538,10 +21572,10 @@ index ba14bcf..0a3179c 100644
')
+
+optional_policy(`
-+ quantum_manage_lib_files(dnsmasq_t)
-+ quantum_stream_connect(dnsmasq_t)
-+ quantum_rw_fifo_file(dnsmasq_t)
-+ quantum_sigchld(dnsmasq_t)
++ neutron_manage_lib_files(dnsmasq_t)
++ neutron_stream_connect(dnsmasq_t)
++ neutron_rw_fifo_file(dnsmasq_t)
++ neutron_sigchld(dnsmasq_t)
+')
diff --git a/dnssec.fc b/dnssec.fc
new file mode 100644
@@ -23943,7 +23977,7 @@ index 5cf6ac6..0fc685b 100644
+ allow $1 firewalld_unit_file_t:service all_service_perms;
')
diff --git a/firewalld.te b/firewalld.te
-index c8014f8..2888d51 100644
+index c8014f8..bacc80c 100644
--- a/firewalld.te
+++ b/firewalld.te
@@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t)
@@ -24024,7 +24058,7 @@ index c8014f8..2888d51 100644
optional_policy(`
dbus_system_domain(firewalld_t, firewalld_exec_t)
-@@ -85,6 +102,10 @@ optional_policy(`
+@@ -85,9 +102,17 @@ optional_policy(`
')
optional_policy(`
@@ -24035,6 +24069,13 @@ index c8014f8..2888d51 100644
iptables_domtrans(firewalld_t)
')
+ optional_policy(`
+ modutils_domtrans_insmod(firewalld_t)
+ ')
++
++optional_policy(`
++ NetworkManager_read_state(firewalld_t)
++')
diff --git a/firewallgui.if b/firewallgui.if
index e6866d1..941f4ef 100644
--- a/firewallgui.if
@@ -29981,7 +30022,7 @@ index fbb54e7..05c3777 100644
########################################
diff --git a/inetd.te b/inetd.te
-index 1a5ed62..9762e4a 100644
+index 1a5ed62..420305b 100644
--- a/inetd.te
+++ b/inetd.te
@@ -37,9 +37,9 @@ ifdef(`enable_mcs',`
@@ -29996,7 +30037,15 @@ index 1a5ed62..9762e4a 100644
allow inetd_t self:fifo_file rw_fifo_file_perms;
allow inetd_t self:tcp_socket { accept listen };
allow inetd_t self:fd use;
-@@ -98,6 +98,11 @@ corenet_sendrecv_inetd_child_server_packets(inetd_t)
+@@ -61,6 +61,7 @@ kernel_read_system_state(inetd_t)
+ kernel_tcp_recvfrom_unlabeled(inetd_t)
+
+ corecmd_bin_domtrans(inetd_t, inetd_child_t)
++corecmd_exec_shell(inetd_t)
+
+ corenet_all_recvfrom_unlabeled(inetd_t)
+ corenet_all_recvfrom_netlabel(inetd_t)
+@@ -98,6 +99,11 @@ corenet_sendrecv_inetd_child_server_packets(inetd_t)
corenet_tcp_bind_inetd_child_port(inetd_t)
corenet_udp_bind_inetd_child_port(inetd_t)
@@ -30008,7 +30057,7 @@ index 1a5ed62..9762e4a 100644
corenet_sendrecv_ircd_server_packets(inetd_t)
corenet_tcp_bind_ircd_port(inetd_t)
-@@ -157,8 +162,6 @@ auth_use_nsswitch(inetd_t)
+@@ -157,8 +163,6 @@ auth_use_nsswitch(inetd_t)
logging_send_syslog_msg(inetd_t)
@@ -30017,7 +30066,7 @@ index 1a5ed62..9762e4a 100644
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
mls_socket_write_to_clearance(inetd_t)
-@@ -188,7 +191,7 @@ optional_policy(`
+@@ -188,7 +192,7 @@ optional_policy(`
')
optional_policy(`
@@ -30026,7 +30075,7 @@ index 1a5ed62..9762e4a 100644
')
optional_policy(`
-@@ -220,6 +223,14 @@ kernel_read_kernel_sysctls(inetd_child_t)
+@@ -220,6 +224,14 @@ kernel_read_kernel_sysctls(inetd_child_t)
kernel_read_network_state(inetd_child_t)
kernel_read_system_state(inetd_child_t)
@@ -30041,7 +30090,7 @@ index 1a5ed62..9762e4a 100644
dev_read_urand(inetd_child_t)
fs_getattr_xattr_fs(inetd_child_t)
-@@ -230,7 +241,11 @@ auth_use_nsswitch(inetd_child_t)
+@@ -230,7 +242,11 @@ auth_use_nsswitch(inetd_child_t)
logging_send_syslog_msg(inetd_child_t)
@@ -37776,7 +37825,7 @@ index 1d4eb19..650014e 100644
admin_pattern($1, memcached_var_run_t)
')
diff --git a/memcached.te b/memcached.te
-index 4926208..018a640 100644
+index 4926208..4396320 100644
--- a/memcached.te
+++ b/memcached.te
@@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t)
@@ -37788,7 +37837,15 @@ index 4926208..018a640 100644
dontaudit memcached_t self:capability sys_tty_config;
allow memcached_t self:process { setrlimit signal_perms };
allow memcached_t self:tcp_socket { accept listen };
-@@ -57,4 +57,3 @@ term_dontaudit_use_console(memcached_t)
+@@ -51,10 +51,11 @@ corenet_tcp_sendrecv_all_ports(memcached_t)
+ corenet_udp_bind_memcache_port(memcached_t)
+ corenet_udp_sendrecv_all_ports(memcached_t)
+
++dev_read_sysfs(memcached_t)
++
+ term_dontaudit_use_all_ptys(memcached_t)
+ term_dontaudit_use_all_ttys(memcached_t)
+ term_dontaudit_use_console(memcached_t)
auth_use_nsswitch(memcached_t)
@@ -45611,7 +45668,7 @@ index a1fb3c3..82f8ae6 100644
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
-index 0e8508c..0b68b86 100644
+index 0e8508c..f8893f8 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -2,7 +2,7 @@
@@ -45697,14 +45754,42 @@ index 0e8508c..0b68b86 100644
## <summary>
-## Execute networkmanager scripts with
-## an automatic domain transition to initrc.
-+## Execute NetworkManager scripts with an automatic domain transition to initrc.
++## Execute NetworkManager scripts with an automatic domain transition to NetworkManagerrc.
## </summary>
## <param name="domain">
## <summary>
-@@ -114,8 +116,31 @@ interface(`networkmanager_initrc_domtrans',`
-
- ########################################
- ## <summary>
+@@ -104,18 +106,59 @@ interface(`networkmanager_domtrans',`
+ ## </summary>
+ ## </param>
+ #
++interface(`networkmanager_NetworkManagerrc_domtrans',`
++ gen_require(`
++ type NetworkManager_NetworkManagerrc_exec_t;
++ ')
++
++ NetworkManager_labeled_script_domtrans($1, NetworkManager_NetworkManagerrc_exec_t)
++')
++
++#######################################
++## <summary>
++## Execute NetworkManager scripts with an automatic domain transition to initrc.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
+ interface(`networkmanager_initrc_domtrans',`
++ gen_require(`
++ type NetworkManager_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
++')
++
++########################################
++## <summary>
+## Execute NetworkManager server in the NetworkManager domain.
+## </summary>
+## <param name="domain">
@@ -45714,27 +45799,29 @@ index 0e8508c..0b68b86 100644
+## </param>
+#
+interface(`networkmanager_systemctl',`
-+ gen_require(`
+ gen_require(`
+- type NetworkManager_initrc_exec_t;
+ type NetworkManager_unit_file_t;
+ type NetworkManager_t;
-+ ')
-+
+ ')
+
+- init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
+ systemd_exec_systemctl($1)
+ allow $1 NetworkManager_unit_file_t:file read_file_perms;
+ allow $1 NetworkManager_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, NetworkManager_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
## Send and receive messages from
-## networkmanager over dbus.
+## NetworkManager over dbus.
## </summary>
## <param name="domain">
## <summary>
-@@ -135,7 +160,29 @@ interface(`networkmanager_dbus_chat',`
+@@ -135,7 +178,29 @@ interface(`networkmanager_dbus_chat',`
########################################
## <summary>
@@ -45765,7 +45852,7 @@ index 0e8508c..0b68b86 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -153,7 +200,7 @@ interface(`networkmanager_signal',`
+@@ -153,7 +218,7 @@ interface(`networkmanager_signal',`
########################################
## <summary>
@@ -45774,7 +45861,7 @@ index 0e8508c..0b68b86 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -171,9 +218,28 @@ interface(`networkmanager_read_lib_files',`
+@@ -171,9 +236,28 @@ interface(`networkmanager_read_lib_files',`
read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
')
@@ -45804,7 +45891,7 @@ index 0e8508c..0b68b86 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -181,19 +247,18 @@ interface(`networkmanager_read_lib_files',`
+@@ -181,19 +265,18 @@ interface(`networkmanager_read_lib_files',`
## </summary>
## </param>
#
@@ -45829,7 +45916,7 @@ index 0e8508c..0b68b86 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -201,23 +266,23 @@ interface(`networkmanager_append_log_files',`
+@@ -201,23 +284,23 @@ interface(`networkmanager_append_log_files',`
## </summary>
## </param>
#
@@ -45858,7 +45945,7 @@ index 0e8508c..0b68b86 100644
## </summary>
## </param>
## <param name="role">
-@@ -227,33 +292,112 @@ interface(`networkmanager_read_pid_files',`
+@@ -227,33 +310,132 @@ interface(`networkmanager_read_pid_files',`
## </param>
## <rolecap/>
#
@@ -45949,6 +46036,26 @@ index 0e8508c..0b68b86 100644
+ stream_connect_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t)
+')
+
++#######################################
++## <summary>
++## Read the process state (/proc/pid) of NetworkManager.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`NetworkManager_read_state',`
++ gen_require(`
++ type NetworkManager_t;
++ ')
++
++ allow $1 NetworkManager_t:dir search_dir_perms;
++ allow $1 NetworkManager_t:file read_file_perms;
++ allow $1 NetworkManager_t:lnk_file read_lnk_file_perms;
++')
++
+########################################
+## <summary>
+## Transition to networkmanager named content
@@ -48332,7 +48439,7 @@ index 97df768..852d1c6 100644
+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
')
diff --git a/nslcd.te b/nslcd.te
-index a3e56f0..8903423 100644
+index a3e56f0..f70a784 100644
--- a/nslcd.te
+++ b/nslcd.te
@@ -1,4 +1,4 @@
@@ -48358,8 +48465,12 @@ index a3e56f0..8903423 100644
allow nslcd_t nslcd_conf_t:file read_file_perms;
-@@ -38,12 +38,8 @@ kernel_read_system_state(nslcd_t)
+@@ -36,14 +36,12 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
+
+ kernel_read_system_state(nslcd_t)
++dev_read_sysfs(nslcd_t)
++
corenet_all_recvfrom_unlabeled(nslcd_t)
corenet_all_recvfrom_netlabel(nslcd_t)
-corenet_tcp_sendrecv_generic_if(nslcd_t)
@@ -48372,7 +48483,7 @@ index a3e56f0..8903423 100644
files_read_usr_symlinks(nslcd_t)
files_list_tmp(nslcd_t)
-@@ -52,10 +48,14 @@ auth_use_nsswitch(nslcd_t)
+@@ -52,10 +50,14 @@ auth_use_nsswitch(nslcd_t)
logging_send_syslog_msg(nslcd_t)
@@ -66101,26 +66212,45 @@ index 76f5b39..8bb80a2 100644
+')
+
diff --git a/quantum.fc b/quantum.fc
-index 70ab68b..e97da31 100644
+index 70ab68b..1de192b 100644
--- a/quantum.fc
+++ b/quantum.fc
-@@ -1,9 +1,14 @@
-+/usr/lib/systemd/system/quantum.* -- gen_context(system_u:object_r:quantum_unit_file_t,s0)
-+
- /etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:quantum_initrc_exec_t,s0)
-
- /usr/bin/quantum-server -- gen_context(system_u:object_r:quantum_exec_t,s0)
- /usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
- /usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
- /usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
-+/usr/bin/quantum-dhcp-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
-+/usr/bin/quantum-l3-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
-+/usr/bin/quantum-ovs-cleanup -- gen_context(system_u:object_r:quantum_exec_t,s0)
-
- /var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0)
-
+@@ -1,10 +1,26 @@
+-/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:quantum_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/neutron.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
+
+-/usr/bin/quantum-server -- gen_context(system_u:object_r:quantum_exec_t,s0)
+-/usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
+-/usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
+-/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
++/usr/bin/neutron-dhcp-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-l3-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-linuxbridge-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-openvswitch-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-ovs-cleanup -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-ryu-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-server -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/quantum-dhcp-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/quantum-l3-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/quantum-ovs-cleanup -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/quantum-server -- gen_context(system_u:object_r:neutron_exec_t,s0)
+
+-/var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0)
++/usr/lib/systemd/system/neutron.* -- gen_context(system_u:object_r:neutron_unit_file_t,s0)
++/usr/lib/systemd/system/quantum.* -- gen_context(system_u:object_r:neutron_unit_file_t,s0)
+
+-/var/log/quantum(/.*)? gen_context(system_u:object_r:quantum_log_t,s0)
++/var/lib/neutron(/.*)? gen_context(system_u:object_r:neutron_var_lib_t,s0)
++/var/lib/quantum(/.*)? gen_context(system_u:object_r:neutron_var_lib_t,s0)
++
++/var/log/neutron(/.*)? gen_context(system_u:object_r:neutron_log_t,s0)
++/var/log/quantum(/.*)? gen_context(system_u:object_r:neutron_log_t,s0)
diff --git a/quantum.if b/quantum.if
-index afc0068..7b3cfad 100644
+index afc0068..3105104 100644
--- a/quantum.if
+++ b/quantum.if
@@ -2,41 +2,293 @@
@@ -66129,7 +66259,7 @@ index afc0068..7b3cfad 100644
## <summary>
-## All of the rules required to
-## administrate an quantum environment.
-+## Transition to quantum.
++## Transition to neutron.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -66137,77 +66267,78 @@ index afc0068..7b3cfad 100644
+## </summary>
+## </param>
+#
-+interface(`quantum_domtrans',`
++interface(`neutron_domtrans',`
+ gen_require(`
-+ type quantum_t, quantum_exec_t;
++ type neutron_t, neutron_exec_t;
+ ')
+
+ corecmd_search_bin($1)
-+ domtrans_pattern($1, quantum_exec_t, quantum_t)
++ domtrans_pattern($1, neutron_exec_t, neutron_t)
+')
+
+########################################
+## <summary>
-+## Allow read/write quantum pipes
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
++## Allow read/write neutron pipes
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
+#
-+interface(`quantum_rw_inherited_pipes',`
++interface(`neutron_rw_inherited_pipes',`
+ gen_require(`
-+ type quantum_t;
++ type neutron_t;
+ ')
+
-+ allow $1 quantum_t:fifo_file rw_inherited_fifo_file_perms;
++ allow $1 neutron_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
-+## Send sigchld to quantum.
- ## </summary>
- ## <param name="domain">
++## Send sigchld to neutron.
++## </summary>
++## <param name="domain">
## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="role">
+-## Role allowed access.
++## Domain allowed access.
++## </summary>
++## </param>
+#
+#
-+interface(`quantum_sigchld',`
++interface(`neutron_sigchld',`
+ gen_require(`
-+ type quantum_t;
++ type neutron_t;
+ ')
+
-+ allow $1 quantum_t:process sigchld;
++ allow $1 neutron_t:process sigchld;
+')
+
+########################################
+## <summary>
-+## Read quantum's log files.
++## Read neutron's log files.
+## </summary>
+## <param name="domain">
- ## <summary>
--## Role allowed access.
++## <summary>
+## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
-+interface(`quantum_read_log',`
+-interface(`quantum_admin',`
++interface(`neutron_read_log',`
+ gen_require(`
-+ type quantum_log_t;
++ type neutron_log_t;
+ ')
+
+ logging_search_logs($1)
-+ read_files_pattern($1, quantum_log_t, quantum_log_t)
++ read_files_pattern($1, neutron_log_t, neutron_log_t)
+')
+
+########################################
+## <summary>
-+## Append to quantum log files.
++## Append to neutron log files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -66215,18 +66346,18 @@ index afc0068..7b3cfad 100644
+## </summary>
+## </param>
+#
-+interface(`quantum_append_log',`
++interface(`neutron_append_log',`
+ gen_require(`
-+ type quantum_log_t;
++ type neutron_log_t;
+ ')
+
+ logging_search_logs($1)
-+ append_files_pattern($1, quantum_log_t, quantum_log_t)
++ append_files_pattern($1, neutron_log_t, neutron_log_t)
+')
+
+########################################
+## <summary>
-+## Manage quantum log files
++## Manage neutron log files
+## </summary>
+## <param name="domain">
+## <summary>
@@ -66234,20 +66365,20 @@ index afc0068..7b3cfad 100644
+## </summary>
+## </param>
+#
-+interface(`quantum_manage_log',`
++interface(`neutron_manage_log',`
+ gen_require(`
-+ type quantum_log_t;
++ type neutron_log_t;
+ ')
+
+ logging_search_logs($1)
-+ manage_dirs_pattern($1, quantum_log_t, quantum_log_t)
-+ manage_files_pattern($1, quantum_log_t, quantum_log_t)
-+ manage_lnk_files_pattern($1, quantum_log_t, quantum_log_t)
++ manage_dirs_pattern($1, neutron_log_t, neutron_log_t)
++ manage_files_pattern($1, neutron_log_t, neutron_log_t)
++ manage_lnk_files_pattern($1, neutron_log_t, neutron_log_t)
+')
+
+########################################
+## <summary>
-+## Search quantum lib directories.
++## Search neutron lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -66255,18 +66386,18 @@ index afc0068..7b3cfad 100644
+## </summary>
+## </param>
+#
-+interface(`quantum_search_lib',`
++interface(`neutron_search_lib',`
+ gen_require(`
-+ type quantum_var_lib_t;
++ type neutron_var_lib_t;
+ ')
+
-+ allow $1 quantum_var_lib_t:dir search_dir_perms;
++ allow $1 neutron_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
-+## Read quantum lib files.
++## Read neutron lib files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -66274,18 +66405,22 @@ index afc0068..7b3cfad 100644
+## </summary>
+## </param>
+#
-+interface(`quantum_read_lib_files',`
-+ gen_require(`
-+ type quantum_var_lib_t;
-+ ')
-+
++interface(`neutron_read_lib_files',`
+ gen_require(`
+- type quantum_t, quantum_initrc_exec_t, quantum_log_t;
+- type quantum_var_lib_t, quantum_tmp_t;
++ type neutron_var_lib_t;
+ ')
+
+- allow $1 quantum_t:process { ptrace signal_perms };
+- ps_process_pattern($1, quantum_t)
+ files_search_var_lib($1)
-+ read_files_pattern($1, quantum_var_lib_t, quantum_var_lib_t)
++ read_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
+')
+
+########################################
+## <summary>
-+## Manage quantum lib files.
++## Manage neutron lib files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -66293,18 +66428,22 @@ index afc0068..7b3cfad 100644
+## </summary>
+## </param>
+#
-+interface(`quantum_manage_lib_files',`
++interface(`neutron_manage_lib_files',`
+ gen_require(`
-+ type quantum_var_lib_t;
++ type neutron_var_lib_t;
+ ')
-+
+
+- init_labeled_script_domtrans($1, quantum_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 quantum_initrc_exec_t system_r;
+- allow $2 system_r;
+ files_search_var_lib($1)
-+ manage_files_pattern($1, quantum_var_lib_t, quantum_var_lib_t)
++ manage_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
+')
+
+########################################
+## <summary>
-+## Manage quantum lib directories.
++## Manage neutron lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -66312,18 +66451,18 @@ index afc0068..7b3cfad 100644
+## </summary>
+## </param>
+#
-+interface(`quantum_manage_lib_dirs',`
++interface(`neutron_manage_lib_dirs',`
+ gen_require(`
-+ type quantum_var_lib_t;
++ type neutron_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, quantum_var_lib_t, quantum_var_lib_t)
++ manage_dirs_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
+')
+
+########################################
+## <summary>
-+## Read and write quantum fifo files.
++## Read and write neutron fifo files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -66331,17 +66470,17 @@ index afc0068..7b3cfad 100644
+## </summary>
+## </param>
+#
-+interface(`quantum_rw_fifo_file',`
++interface(`neutron_rw_fifo_file',`
+ gen_require(`
-+ type quantum_t;
++ type neutron_t;
+ ')
+
-+ allow $1 quantum_t:fifo_file rw_inherited_fifo_file_perms;
++ allow $1 neutron_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+#####################################
+## <summary>
-+## Connect to quantum over a unix domain
++## Connect to neutron over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
@@ -66350,19 +66489,19 @@ index afc0068..7b3cfad 100644
+## </summary>
+## </param>
+#
-+interface(`quantum_stream_connect',`
++interface(`neutron_stream_connect',`
+ gen_require(`
-+ type quantum_t;
-+ type quantum_var_lib_t;
++ type neutron_t;
++ type neutron_var_lib_t;
+ ')
+
+ files_search_pids($1)
-+ stream_connect_pattern($1, quantum_var_lib_t, quantum_var_lib_t, quantum_t )
++ stream_connect_pattern($1, neutron_var_lib_t, neutron_var_lib_t, neutron_t )
+')
+
+########################################
+## <summary>
-+## Execute quantum server in the quantum domain.
++## Execute neutron server in the neutron domain.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -66370,25 +66509,25 @@ index afc0068..7b3cfad 100644
+## </summary>
+## </param>
+#
-+interface(`quantum_systemctl',`
++interface(`neutron_systemctl',`
+ gen_require(`
-+ type quantum_t;
-+ type quantum_unit_file_t;
++ type neutron_t;
++ type neutron_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
-+ allow $1 quantum_unit_file_t:file read_file_perms;
-+ allow $1 quantum_unit_file_t:service manage_service_perms;
++ allow $1 neutron_unit_file_t:file read_file_perms;
++ allow $1 neutron_unit_file_t:service manage_service_perms;
+
-+ ps_process_pattern($1, quantum_t)
++ ps_process_pattern($1, neutron_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
-+## an quantum environment
++## an neutron environment
+## </summary>
+## <param name="domain">
+## <summary>
@@ -66396,92 +66535,203 @@ index afc0068..7b3cfad 100644
+## </summary>
+## </param>
+#
- interface(`quantum_admin',`
- gen_require(`
-- type quantum_t, quantum_initrc_exec_t, quantum_log_t;
-- type quantum_var_lib_t, quantum_tmp_t;
-+ type quantum_t;
-+ type quantum_log_t;
-+ type quantum_var_lib_t;
-+ type quantum_unit_file_t;
- ')
-
- allow $1 quantum_t:process { ptrace signal_perms };
- ps_process_pattern($1, quantum_t)
++interface(`neutron_admin',`
++ gen_require(`
++ type neutron_t;
++ type neutron_log_t;
++ type neutron_var_lib_t;
++ type neutron_unit_file_t;
++ ')
++
++ allow $1 neutron_t:process { ptrace signal_perms };
++ ps_process_pattern($1, neutron_t)
-- init_labeled_script_domtrans($1, quantum_initrc_exec_t)
-- domain_system_change_exemption($1)
-- role_transition $2 quantum_initrc_exec_t system_r;
-- allow $2 system_r;
--
logging_search_logs($1)
- admin_pattern($1, quantum_log_t)
+- admin_pattern($1, quantum_log_t)
++ admin_pattern($1, neutron_log_t)
files_search_var_lib($1)
- admin_pattern($1, quantum_var_lib_t)
+- admin_pattern($1, quantum_var_lib_t)
++ admin_pattern($1, neutron_var_lib_t)
- files_search_tmp($1)
- admin_pattern($1, quantum_tmp_t)
-+ quantum_systemctl($1)
-+ admin_pattern($1, quantum_unit_file_t)
-+ allow $1 quantum_unit_file_t:service all_service_perms;
++ neutron_systemctl($1)
++ admin_pattern($1, neutron_unit_file_t)
++ allow $1 neutron_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/quantum.te b/quantum.te
-index 769d1fd..bf3f16f 100644
+index 769d1fd..80a4b99 100644
--- a/quantum.te
+++ b/quantum.te
-@@ -21,6 +21,9 @@ files_tmp_file(quantum_tmp_t)
- type quantum_var_lib_t;
- files_type(quantum_var_lib_t)
+@@ -1,96 +1,108 @@
+-policy_module(quantum, 1.0.2)
++policy_module(quantum, 1.0.3)
+
+ ########################################
+ #
+ # Declarations
+ #
+
+-type quantum_t;
+-type quantum_exec_t;
+-init_daemon_domain(quantum_t, quantum_exec_t)
++type neutron_t alias quantum_t;
++type neutron_exec_t alias quantum_exec_t;
++init_daemon_domain(neutron_t, neutron_exec_t)
+
+-type quantum_initrc_exec_t;
+-init_script_file(quantum_initrc_exec_t)
++type neutron_initrc_exec_t alias qauntum_initrc_exec_t;
++init_script_file(neutron_initrc_exec_t)
+
+-type quantum_log_t;
+-logging_log_file(quantum_log_t)
++type neutron_log_t alias quantum_log_t;
++logging_log_file(neutron_log_t)
+
+-type quantum_tmp_t;
+-files_tmp_file(quantum_tmp_t)
++type neutron_tmp_t alias quantum_tmp_t;
++files_tmp_file(neutron_tmp_t)
-+type quantum_unit_file_t;
-+systemd_unit_file(quantum_unit_file_t)
+-type quantum_var_lib_t;
+-files_type(quantum_var_lib_t)
++type neutron_var_lib_t alias quantum_var_lib_t;
++files_type(neutron_var_lib_t)
+
++type neutron_unit_file_t alias quantum_unit_file_t;
++systemd_unit_file(neutron_unit_file_t)
+
########################################
#
# Local policy
-@@ -61,11 +64,13 @@ corenet_tcp_sendrecv_generic_node(quantum_t)
- corenet_tcp_sendrecv_all_ports(quantum_t)
- corenet_tcp_bind_generic_node(quantum_t)
+ #
-+corenet_tcp_bind_quantum_port(quantum_t)
-+corenet_tcp_connect_keystone_port(quantum_t)
-+corenet_tcp_connect_mysqld_port(quantum_t)
-+
- dev_list_sysfs(quantum_t)
- dev_read_urand(quantum_t)
+-allow quantum_t self:capability { setgid setuid sys_resource };
+-allow quantum_t self:process { setsched setrlimit };
+-allow quantum_t self:fifo_file rw_fifo_file_perms;
+-allow quantum_t self:key manage_key_perms;
+-allow quantum_t self:tcp_socket { accept listen };
+-allow quantum_t self:unix_stream_socket { accept listen };
++allow neutron_t self:capability { setgid setuid sys_resource };
++allow neutron_t self:process { setsched setrlimit };
++allow neutron_t self:fifo_file rw_fifo_file_perms;
++allow neutron_t self:key manage_key_perms;
++allow neutron_t self:tcp_socket { accept listen };
++allow neutron_t self:unix_stream_socket { accept listen };
+
+-manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-logging_log_filetrans(quantum_t, quantum_log_t, dir)
++manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
++append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
++create_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
++setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
++logging_log_filetrans(neutron_t, neutron_log_t, dir)
+
+-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
+-files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
++manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
++files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
+
+-manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
+-manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
+-files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
++manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
++manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
++files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
+
+-can_exec(quantum_t, quantum_tmp_t)
++can_exec(neutron_t, neutron_tmp_t)
+
+-kernel_read_kernel_sysctls(quantum_t)
+-kernel_read_system_state(quantum_t)
++kernel_read_kernel_sysctls(neutron_t)
++kernel_read_system_state(neutron_t)
+
+-corecmd_exec_shell(quantum_t)
+-corecmd_exec_bin(quantum_t)
++corecmd_exec_shell(neutron_t)
++corecmd_exec_bin(neutron_t)
+
+-corenet_all_recvfrom_unlabeled(quantum_t)
+-corenet_all_recvfrom_netlabel(quantum_t)
+-corenet_tcp_sendrecv_generic_if(quantum_t)
+-corenet_tcp_sendrecv_generic_node(quantum_t)
+-corenet_tcp_sendrecv_all_ports(quantum_t)
+-corenet_tcp_bind_generic_node(quantum_t)
++corenet_all_recvfrom_unlabeled(neutron_t)
++corenet_all_recvfrom_netlabel(neutron_t)
++corenet_tcp_sendrecv_generic_if(neutron_t)
++corenet_tcp_sendrecv_generic_node(neutron_t)
++corenet_tcp_sendrecv_all_ports(neutron_t)
++corenet_tcp_bind_generic_node(neutron_t)
+
+-dev_list_sysfs(quantum_t)
+-dev_read_urand(quantum_t)
++corenet_tcp_bind_quantum_port(neutron_t)
++corenet_tcp_connect_keystone_port(neutron_t)
++corenet_tcp_connect_mysqld_port(neutron_t)
-files_read_usr_files(quantum_t)
--
- auth_use_nsswitch(quantum_t)
++dev_list_sysfs(neutron_t)
++dev_read_urand(neutron_t)
+
+-auth_use_nsswitch(quantum_t)
++auth_use_nsswitch(neutron_t)
+
+-libs_exec_ldconfig(quantum_t)
++libs_exec_ldconfig(neutron_t)
- libs_exec_ldconfig(quantum_t)
-@@ -73,8 +78,6 @@ libs_exec_ldconfig(quantum_t)
- logging_send_audit_msgs(quantum_t)
- logging_send_syslog_msg(quantum_t)
+-logging_send_audit_msgs(quantum_t)
+-logging_send_syslog_msg(quantum_t)
++logging_send_audit_msgs(neutron_t)
++logging_send_syslog_msg(neutron_t)
-miscfiles_read_localization(quantum_t)
--
- sysnet_domtrans_ifconfig(quantum_t)
++sysnet_domtrans_ifconfig(neutron_t)
+
+-sysnet_domtrans_ifconfig(quantum_t)
++optional_policy(`
++ brctl_domtrans(neutron_t)
++')
+
+ optional_policy(`
+- brctl_domtrans(quantum_t)
++ mysql_stream_connect(neutron_t)
++ mysql_read_config(neutron_t)
++
++ mysql_tcp_connect(neutron_t)
+ ')
optional_policy(`
-@@ -94,3 +97,12 @@ optional_policy(`
+- mysql_stream_connect(quantum_t)
+- mysql_read_config(quantum_t)
++ postgresql_stream_connect(neutron_t)
++ postgresql_unpriv_client(neutron_t)
- postgresql_tcp_connect(quantum_t)
+- mysql_tcp_connect(quantum_t)
++ postgresql_tcp_connect(neutron_t)
')
-+
-+optional_policy(`
-+ openvswitch_domtrans(quantum_t)
-+ openvswitch_stream_connect(quantum_t)
+
+ optional_policy(`
+- postgresql_stream_connect(quantum_t)
+- postgresql_unpriv_client(quantum_t)
++ openvswitch_domtrans(neutron_t)
++ openvswitch_stream_connect(neutron_t)
+')
-+
+
+- postgresql_tcp_connect(quantum_t)
+optional_policy(`
-+ sudo_exec(quantum_t)
-+')
++ sudo_exec(neutron_t)
+ ')
diff --git a/quota.fc b/quota.fc
index cadabe3..0ee2489 100644
--- a/quota.fc
@@ -66928,7 +67178,7 @@ index 2c3d338..cf3e5ad 100644
########################################
diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..8c4ba04 100644
+index 3698b51..136b017 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
@@ -66950,7 +67200,7 @@ index 3698b51..8c4ba04 100644
allow rabbitmq_beam_t self:process { setsched signal signull };
allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_beam_t self:tcp_socket { accept listen };
-@@ -38,13 +43,17 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+@@ -38,27 +43,35 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
@@ -66971,7 +67221,10 @@ index 3698b51..8c4ba04 100644
can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
-@@ -54,11 +63,14 @@ kernel_read_system_state(rabbitmq_beam_t)
+
+ kernel_read_system_state(rabbitmq_beam_t)
++kernel_read_fs_sysctls(rabbitmq_beam_t)
+
corecmd_exec_bin(rabbitmq_beam_t)
corecmd_exec_shell(rabbitmq_beam_t)
@@ -66986,11 +67239,13 @@ index 3698b51..8c4ba04 100644
corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
-@@ -68,20 +80,44 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
+@@ -68,20 +81,50 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
-dev_read_sysfs(rabbitmq_beam_t)
++corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
++
+corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t)
+corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t)
+
@@ -67006,20 +67261,24 @@ index 3698b51..8c4ba04 100644
+fs_getattr_all_fs(rabbitmq_beam_t)
+fs_getattr_all_dirs(rabbitmq_beam_t)
+fs_getattr_cgroup(rabbitmq_beam_t)
++fs_search_cgroup_dirs(rabbitmq_beam_t)
+
+corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
+
+dev_read_sysfs(rabbitmq_beam_t)
+dev_read_urand(rabbitmq_beam_t)
++
++storage_getattr_fixed_disk_dev(rabbitmq_beam_t)
sysnet_dns_name_resolve(rabbitmq_beam_t)
+logging_send_syslog_msg(rabbitmq_beam_t)
+
+optional_policy(`
++ couchdb_manage_lib_files(rabbitmq_beam_t)
+ couchdb_read_conf_files(rabbitmq_beam_t)
+ couchdb_read_log_files(rabbitmq_beam_t)
-+ couchdb_manage_lib_files(rabbitmq_beam_t)
++ couchdb_search_pid_dirs(rabbitmq_beam_t)
+')
+
+optional_policy(`
@@ -67035,7 +67294,7 @@ index 3698b51..8c4ba04 100644
allow rabbitmq_epmd_t self:process signal;
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -99,8 +135,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -99,8 +142,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
@@ -67424,7 +67683,7 @@ index 951db7f..7736755 100644
+ allow $1 mdadm_exec_t:file { getattr_file_perms execute };
')
diff --git a/raid.te b/raid.te
-index 2c1730b..8e46216 100644
+index 2c1730b..6f60d73 100644
--- a/raid.te
+++ b/raid.te
@@ -15,6 +15,12 @@ role mdadm_roles types mdadm_t;
@@ -67476,7 +67735,7 @@ index 2c1730b..8e46216 100644
corecmd_exec_bin(mdadm_t)
corecmd_exec_shell(mdadm_t)
-@@ -49,19 +63,27 @@ corecmd_exec_shell(mdadm_t)
+@@ -49,19 +63,28 @@ corecmd_exec_shell(mdadm_t)
dev_rw_sysfs(mdadm_t)
dev_dontaudit_getattr_all_blk_files(mdadm_t)
dev_dontaudit_getattr_all_chr_files(mdadm_t)
@@ -67485,6 +67744,7 @@ index 2c1730b..8e46216 100644
dev_read_realtime_clock(mdadm_t)
dev_read_raw_memory(mdadm_t)
+dev_read_kvm(mdadm_t)
++dev_read_mei(mdadm_t)
+dev_read_nvram(mdadm_t)
+dev_read_generic_files(mdadm_t)
+dev_read_generic_usb_dev(mdadm_t)
@@ -67506,7 +67766,7 @@ index 2c1730b..8e46216 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -70,15 +92,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -70,15 +93,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
@@ -67528,7 +67788,7 @@ index 2c1730b..8e46216 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -97,9 +124,17 @@ optional_policy(`
+@@ -97,9 +125,17 @@ optional_policy(`
')
optional_policy(`
@@ -76267,7 +76527,7 @@ index aee75af..a6bab06 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 57c034b..aa2be40 100644
+index 57c034b..d48911d 100644
--- a/samba.te
+++ b/samba.te
@@ -1,4 +1,4 @@
@@ -76453,7 +76713,7 @@ index 57c034b..aa2be40 100644
type swat_t;
type swat_exec_t;
-@@ -170,27 +154,28 @@ type winbind_exec_t;
+@@ -170,27 +154,29 @@ type winbind_exec_t;
init_daemon_domain(winbind_t, winbind_exec_t)
type winbind_helper_t;
@@ -76481,6 +76741,7 @@ index 57c034b..aa2be40 100644
#
-
allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override };
++allow samba_net_t self:capability2 block_suspend;
allow samba_net_t self:process { getsched setsched };
-allow samba_net_t self:unix_stream_socket { accept listen };
+allow samba_net_t self:unix_dgram_socket create_socket_perms;
@@ -76490,7 +76751,7 @@ index 57c034b..aa2be40 100644
allow samba_net_t samba_etc_t:file read_file_perms;
-@@ -206,17 +191,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+@@ -206,17 +192,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
@@ -76517,7 +76778,7 @@ index 57c034b..aa2be40 100644
dev_read_urand(samba_net_t)
-@@ -229,15 +219,16 @@ auth_manage_cache(samba_net_t)
+@@ -229,15 +220,16 @@ auth_manage_cache(samba_net_t)
logging_send_syslog_msg(samba_net_t)
@@ -76538,7 +76799,7 @@ index 57c034b..aa2be40 100644
')
optional_policy(`
-@@ -245,44 +236,56 @@ optional_policy(`
+@@ -245,44 +237,56 @@ optional_policy(`
')
optional_policy(`
@@ -76607,7 +76868,7 @@ index 57c034b..aa2be40 100644
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
allow smbd_t samba_share_t:filesystem { getattr quotaget };
-@@ -292,6 +295,8 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
+@@ -292,6 +296,8 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
@@ -76616,7 +76877,7 @@ index 57c034b..aa2be40 100644
manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
-@@ -301,11 +306,11 @@ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+@@ -301,11 +307,11 @@ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file })
@@ -76632,7 +76893,7 @@ index 57c034b..aa2be40 100644
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
-@@ -315,43 +320,33 @@ kernel_read_kernel_sysctls(smbd_t)
+@@ -315,43 +321,33 @@ kernel_read_kernel_sysctls(smbd_t)
kernel_read_software_raid_state(smbd_t)
kernel_read_system_state(smbd_t)
@@ -76687,7 +76948,7 @@ index 57c034b..aa2be40 100644
fs_getattr_all_fs(smbd_t)
fs_getattr_all_dirs(smbd_t)
fs_get_xattr_fs_quotas(smbd_t)
-@@ -360,44 +355,54 @@ fs_getattr_rpc_dirs(smbd_t)
+@@ -360,44 +356,54 @@ fs_getattr_rpc_dirs(smbd_t)
fs_list_inotifyfs(smbd_t)
fs_get_all_fs_quotas(smbd_t)
@@ -76753,7 +77014,7 @@ index 57c034b..aa2be40 100644
')
tunable_policy(`samba_domain_controller',`
-@@ -413,20 +418,10 @@ tunable_policy(`samba_domain_controller',`
+@@ -413,20 +419,10 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -76776,7 +77037,7 @@ index 57c034b..aa2be40 100644
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
-@@ -435,6 +430,7 @@ tunable_policy(`samba_share_nfs',`
+@@ -435,6 +431,7 @@ tunable_policy(`samba_share_nfs',`
fs_manage_nfs_named_sockets(smbd_t)
')
@@ -76784,7 +77045,7 @@ index 57c034b..aa2be40 100644
tunable_policy(`samba_share_fusefs',`
fs_manage_fusefs_dirs(smbd_t)
fs_manage_fusefs_files(smbd_t)
-@@ -442,17 +438,6 @@ tunable_policy(`samba_share_fusefs',`
+@@ -442,17 +439,6 @@ tunable_policy(`samba_share_fusefs',`
fs_search_fusefs(smbd_t)
')
@@ -76802,7 +77063,7 @@ index 57c034b..aa2be40 100644
optional_policy(`
ccs_read_config(smbd_t)
')
-@@ -473,6 +458,11 @@ optional_policy(`
+@@ -473,6 +459,11 @@ optional_policy(`
')
optional_policy(`
@@ -76814,7 +77075,7 @@ index 57c034b..aa2be40 100644
lpd_exec_lpr(smbd_t)
')
-@@ -493,9 +483,33 @@ optional_policy(`
+@@ -493,9 +484,33 @@ optional_policy(`
udev_read_db(smbd_t)
')
@@ -76849,7 +77110,7 @@ index 57c034b..aa2be40 100644
#
dontaudit nmbd_t self:capability sys_tty_config;
-@@ -506,9 +520,11 @@ allow nmbd_t self:msg { send receive };
+@@ -506,9 +521,11 @@ allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -76864,7 +77125,7 @@ index 57c034b..aa2be40 100644
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -520,20 +536,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -520,20 +537,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -76888,7 +77149,7 @@ index 57c034b..aa2be40 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
-@@ -542,52 +553,40 @@ kernel_read_network_state(nmbd_t)
+@@ -542,52 +554,40 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -76953,7 +77214,7 @@ index 57c034b..aa2be40 100644
')
optional_policy(`
-@@ -600,17 +599,24 @@ optional_policy(`
+@@ -600,17 +600,24 @@ optional_policy(`
########################################
#
@@ -76982,7 +77243,7 @@ index 57c034b..aa2be40 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -620,16 +626,12 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -620,16 +627,12 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@@ -77000,7 +77261,7 @@ index 57c034b..aa2be40 100644
optional_policy(`
ctdbd_stream_connect(smbcontrol_t)
-@@ -637,22 +639,23 @@ optional_policy(`
+@@ -637,22 +640,23 @@ optional_policy(`
########################################
#
@@ -77032,7 +77293,7 @@ index 57c034b..aa2be40 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -661,26 +664,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -661,26 +665,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@@ -77068,7 +77329,7 @@ index 57c034b..aa2be40 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
-@@ -692,58 +691,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -692,58 +692,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
@@ -77160,7 +77421,7 @@ index 57c034b..aa2be40 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -752,17 +770,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -752,17 +771,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -77184,7 +77445,7 @@ index 57c034b..aa2be40 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -770,36 +784,25 @@ kernel_read_network_state(swat_t)
+@@ -770,36 +785,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -77227,7 +77488,7 @@ index 57c034b..aa2be40 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -811,10 +814,11 @@ logging_send_syslog_msg(swat_t)
+@@ -811,10 +815,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -77241,7 +77502,7 @@ index 57c034b..aa2be40 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -834,16 +838,19 @@ optional_policy(`
+@@ -834,16 +839,19 @@ optional_policy(`
#
allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
@@ -77265,7 +77526,7 @@ index 57c034b..aa2be40 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -853,9 +860,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -853,9 +861,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -77276,7 +77537,7 @@ index 57c034b..aa2be40 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -866,23 +871,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -866,23 +872,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -77306,7 +77567,7 @@ index 57c034b..aa2be40 100644
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
kernel_read_network_state(winbind_t)
-@@ -891,13 +894,17 @@ kernel_read_system_state(winbind_t)
+@@ -891,13 +895,17 @@ kernel_read_system_state(winbind_t)
corecmd_exec_bin(winbind_t)
@@ -77327,7 +77588,7 @@ index 57c034b..aa2be40 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -905,10 +912,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -905,10 +913,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -77338,7 +77599,7 @@ index 57c034b..aa2be40 100644
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
-@@ -917,18 +920,24 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -917,18 +921,24 @@ auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
auth_manage_cache(winbind_t)
@@ -77365,7 +77626,7 @@ index 57c034b..aa2be40 100644
optional_policy(`
ctdbd_stream_connect(winbind_t)
-@@ -936,7 +945,12 @@ optional_policy(`
+@@ -936,7 +946,12 @@ optional_policy(`
')
optional_policy(`
@@ -77378,7 +77639,7 @@ index 57c034b..aa2be40 100644
')
optional_policy(`
-@@ -952,31 +966,29 @@ optional_policy(`
+@@ -952,31 +967,29 @@ optional_policy(`
# Winbind helper local policy
#
@@ -77416,7 +77677,7 @@ index 57c034b..aa2be40 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -990,25 +1002,38 @@ optional_policy(`
+@@ -990,25 +1003,38 @@ optional_policy(`
########################################
#
@@ -85794,10 +86055,10 @@ index ac8213a..20fa71f 100644
-
-miscfiles_read_localization(tcsd_t)
diff --git a/telepathy.fc b/telepathy.fc
-index c7de0cf..9813503 100644
+index c7de0cf..03fc880 100644
--- a/telepathy.fc
+++ b/telepathy.fc
-@@ -1,34 +1,22 @@
+@@ -1,34 +1,23 @@
-HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t,s0)
+HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0)
@@ -85805,6 +86066,7 @@ index c7de0cf..9813503 100644
-HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0)
-HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0)
-HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t,s0)
++HOME_DIR/\.cache/telepathy/avatars/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
@@ -86266,7 +86528,7 @@ index 42946bc..741f2f4 100644
+ can_exec($1, telepathy_executable)
')
diff --git a/telepathy.te b/telepathy.te
-index e9c0964..ff77783 100644
+index e9c0964..d4686e6 100644
--- a/telepathy.te
+++ b/telepathy.te
@@ -1,29 +1,28 @@
@@ -86309,7 +86571,7 @@ index e9c0964..ff77783 100644
telepathy_domain_template(gabble)
-@@ -67,176 +66,144 @@ userdom_user_home_content(telepathy_sunshine_home_t)
+@@ -67,176 +66,147 @@ userdom_user_home_content(telepathy_sunshine_home_t)
#######################################
#
@@ -86500,6 +86762,9 @@ index e9c0964..ff77783 100644
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
-userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, dir, ".mission-control")
+userdom_search_user_home_dirs(telepathy_mission_control_t)
++
++manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
++manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
-manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
+manage_dirs_pattern(telepathy_mission_control_t, { telepathy_data_home_t telepathy_mission_control_data_home_t }, { telepathy_data_home_t telepathy_mission_control_data_home_t })
@@ -86534,7 +86799,7 @@ index e9c0964..ff77783 100644
optional_policy(`
dbus_system_bus_client(telepathy_mission_control_t)
-@@ -245,59 +212,51 @@ optional_policy(`
+@@ -245,59 +215,51 @@ optional_policy(`
devicekit_dbus_chat_power(telepathy_mission_control_t)
')
optional_policy(`
@@ -86609,7 +86874,7 @@ index e9c0964..ff77783 100644
init_read_state(telepathy_msn_t)
-@@ -307,18 +266,19 @@ logging_send_syslog_msg(telepathy_msn_t)
+@@ -307,18 +269,19 @@ logging_send_syslog_msg(telepathy_msn_t)
miscfiles_read_all_certs(telepathy_msn_t)
@@ -86634,7 +86899,7 @@ index e9c0964..ff77783 100644
')
optional_policy(`
-@@ -329,43 +289,33 @@ optional_policy(`
+@@ -329,43 +292,33 @@ optional_policy(`
')
')
@@ -86683,7 +86948,7 @@ index e9c0964..ff77783 100644
')
optional_policy(`
-@@ -378,73 +328,53 @@ optional_policy(`
+@@ -378,73 +331,53 @@ optional_policy(`
#######################################
#
@@ -86767,7 +87032,7 @@ index e9c0964..ff77783 100644
optional_policy(`
xserver_read_xdm_pid(telepathy_sunshine_t)
xserver_stream_connect(telepathy_sunshine_t)
-@@ -452,31 +382,43 @@ optional_policy(`
+@@ -452,31 +385,43 @@ optional_policy(`
#######################################
#
@@ -92250,7 +92515,7 @@ index 9dec06c..4e31afe 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..d48d354 100644
+index 1f22fba..76ccef3 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,104 @@
@@ -92880,7 +93145,7 @@ index 1f22fba..d48d354 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +343,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +343,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -92890,6 +93155,7 @@ index 1f22fba..d48d354 100644
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
++allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
@@ -92901,7 +93167,7 @@ index 1f22fba..d48d354 100644
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +355,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +356,7 @@ kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
kernel_setsched(virtd_t)
@@ -92909,7 +93175,7 @@ index 1f22fba..d48d354 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -520,24 +363,16 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +364,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -92937,13 +93203,14 @@ index 1f22fba..d48d354 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -548,22 +383,23 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +384,24 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
+# Init script handling
domain_use_interactive_fds(virtd_t)
domain_read_all_domains_state(virtd_t)
++domain_signull_all_domains(virtd_t)
-files_read_usr_files(virtd_t)
files_read_etc_runtime_files(virtd_t)
@@ -92966,7 +93233,7 @@ index 1f22fba..d48d354 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +430,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +432,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -92986,7 +93253,7 @@ index 1f22fba..d48d354 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +452,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +454,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -93023,7 +93290,7 @@ index 1f22fba..d48d354 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +480,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +482,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -93032,7 +93299,7 @@ index 1f22fba..d48d354 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -658,20 +505,12 @@ optional_policy(`
+@@ -658,20 +507,12 @@ optional_policy(`
')
optional_policy(`
@@ -93053,7 +93320,7 @@ index 1f22fba..d48d354 100644
')
optional_policy(`
-@@ -684,14 +523,20 @@ optional_policy(`
+@@ -684,14 +525,20 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -93076,7 +93343,7 @@ index 1f22fba..d48d354 100644
iptables_manage_config(virtd_t)
')
-@@ -704,11 +549,13 @@ optional_policy(`
+@@ -704,11 +551,13 @@ optional_policy(`
')
optional_policy(`
@@ -93090,7 +93357,7 @@ index 1f22fba..d48d354 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
-@@ -719,10 +566,18 @@ optional_policy(`
+@@ -719,10 +568,18 @@ optional_policy(`
')
optional_policy(`
@@ -93109,7 +93376,7 @@ index 1f22fba..d48d354 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -737,44 +592,262 @@ optional_policy(`
+@@ -737,44 +594,262 @@ optional_policy(`
udev_read_db(virtd_t)
')
@@ -93394,7 +93661,7 @@ index 1f22fba..d48d354 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +858,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +860,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -93421,7 +93688,7 @@ index 1f22fba..d48d354 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +878,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +880,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -93453,7 +93720,7 @@ index 1f22fba..d48d354 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,14 +911,20 @@ optional_policy(`
+@@ -847,14 +913,20 @@ optional_policy(`
')
optional_policy(`
@@ -93475,7 +93742,7 @@ index 1f22fba..d48d354 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,49 +949,65 @@ optional_policy(`
+@@ -879,49 +951,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -93559,7 +93826,7 @@ index 1f22fba..d48d354 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,17 +1019,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,17 +1021,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -93579,7 +93846,7 @@ index 1f22fba..d48d354 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,8 +1040,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1042,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -93603,7 +93870,7 @@ index 1f22fba..d48d354 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1065,247 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1067,247 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -93981,7 +94248,7 @@ index 1f22fba..d48d354 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1318,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1320,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -93996,7 +94263,7 @@ index 1f22fba..d48d354 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1336,8 @@ optional_policy(`
+@@ -1183,9 +1338,8 @@ optional_policy(`
########################################
#
@@ -94007,7 +94274,7 @@ index 1f22fba..d48d354 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1350,120 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1352,120 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -97710,7 +97977,7 @@ index b0803c2..f1fa5f7 100644
+')
diff --git a/zoneminder.fc b/zoneminder.fc
new file mode 100644
-index 0000000..a468da3
+index 0000000..d8a6df1
--- /dev/null
+++ b/zoneminder.fc
@@ -0,0 +1,26 @@
@@ -97718,7 +97985,7 @@ index 0000000..a468da3
+
+/etc/rc\.d/init\.d/zoneminder -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0)
+
-+/usr/bin/motion -- gen_context(system_u:object_r:zoneminder_exec_t,s0)
++#/usr/bin/motion -- gen_context(system_u:object_r:zoneminder_exec_t,s0)
+
+/usr/bin/zmpkg.pl -- gen_context(system_u:object_r:zoneminder_exec_t,s0)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 317ab46..1a40678 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 77.1%{?dist}
+Release: 78%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -570,6 +570,33 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Sep 10 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-78
+- Allow block_suspend cap for samba-net
+- Allow t-mission-control to manage gabble cache files
+- Allow nslcd to read /sys/devices/system/cpu
+- Allow selinux_store to use symlinks
+- Allow xdm_t to transition to itself
+- Call neutron interfaces instead of quantum
+- Allow init to change targed role to make uncofined services (xrdp which now has own systemd unit file) working. We want them to have in unconfined_t
+- Make sure directories in /run get created with the correct label
+- Make sure /root/.pki gets created with the right label
+- try to remove labeling for motion from zoneminder_exec_t to bin_t
+- Allow inetd_t to execute shell scripts
+- Allow cloud-init to read all domainstate
+- Fix to use quantum port
+- Add interface netowrkmanager_initrc_domtrans
+- Fix boinc_execmem
+- Allow t-mission-control to read gabble cache home
+- Add labeling for ~/.cache/telepathy/avatars/gabble
+- Allow memcache to read sysfs data
+- Cleanup antivirus policy and add additional fixes
+- Add boolean boinc_enable_execstack
+- Add support for couchdb in rabbitmq policy
+- Add interface couchdb_search_pid_dirs
+- Allow firewalld to read NM state
+- Allow systemd running as git_systemd to bind git port
+- Fix mozilla_plugin_rw_tmpfs_files()
+
* Mon Sep 9 2013 Dan Walsh <dwalsh@redhat.com> 3.12.1-77.1
- Fix nameing of rpm macro
- Fix creating of checksum file off installed policy