diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 8268e42..a373432 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -3224,7 +3224,7 @@ index 7590165..fb30c11 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 33e0f8d..7238b9d 100644
+index 33e0f8d..d3434a9 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -3538,7 +3538,7 @@ index 33e0f8d..7238b9d 100644
/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
-@@ -387,11 +462,15 @@ ifdef(`distro_suse', `
+@@ -387,11 +462,16 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -3548,6 +3548,7 @@ index 33e0f8d..7238b9d 100644
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/var/lib/dirsrv/scripts-INSTANCE -- gen_context(system_u:object_r:bin_t,s0)
+/var/lib/iscan/interpreter gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3555,7 +3556,7 @@ index 33e0f8d..7238b9d 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -401,3 +480,12 @@ ifdef(`distro_suse', `
+@@ -401,3 +481,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -26981,7 +26982,7 @@ index 3efd5b6..08c3e93 100644
+ allow $1 login_pgm:process sigchld;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 09b791d..8e6648e 100644
+index 09b791d..1a3d5b3 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@@ -27284,7 +27285,7 @@ index 09b791d..8e6648e 100644
optional_policy(`
kerberos_use(nsswitch_domain)
')
-@@ -456,6 +499,8 @@ optional_policy(`
+@@ -456,10 +499,145 @@ optional_policy(`
optional_policy(`
sssd_stream_connect(nsswitch_domain)
@@ -27293,7 +27294,8 @@ index 09b791d..8e6648e 100644
')
optional_policy(`
-@@ -463,3 +508,135 @@ optional_policy(`
+ samba_stream_connect_winbind(nsswitch_domain)
++ samba_stream_connect_nmbd(nsswitch_domain)
samba_read_var_files(nsswitch_domain)
samba_dontaudit_write_var_files(nsswitch_domain)
')
@@ -33210,7 +33212,7 @@ index 4e94884..b144ffe 100644
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1..19dc9ce 100644
+index 59b04c1..cdc1c76 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
@@ -33286,16 +33288,18 @@ index 59b04c1..19dc9ce 100644
read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
allow auditctl_t auditd_etc_t:dir list_dir_perms;
-@@ -111,7 +137,7 @@ domain_use_interactive_fds(auditctl_t)
+@@ -111,7 +137,9 @@ domain_use_interactive_fds(auditctl_t)
mls_file_read_all_levels(auditctl_t)
-term_use_all_terms(auditctl_t)
++storage_getattr_removable_dev(auditctl_t)
++
+term_use_all_inherited_terms(auditctl_t)
init_dontaudit_use_fds(auditctl_t)
-@@ -148,6 +174,7 @@ kernel_read_kernel_sysctls(auditd_t)
+@@ -148,6 +176,7 @@ kernel_read_kernel_sysctls(auditd_t)
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
# Probably want a transition, and a new auditd_helper app
kernel_read_system_state(auditd_t)
@@ -33303,7 +33307,7 @@ index 59b04c1..19dc9ce 100644
dev_read_sysfs(auditd_t)
-@@ -155,9 +182,6 @@ fs_getattr_all_fs(auditd_t)
+@@ -155,9 +184,6 @@ fs_getattr_all_fs(auditd_t)
fs_search_auto_mountpoints(auditd_t)
fs_rw_anon_inodefs_files(auditd_t)
@@ -33313,7 +33317,7 @@ index 59b04c1..19dc9ce 100644
corenet_all_recvfrom_netlabel(auditd_t)
corenet_tcp_sendrecv_generic_if(auditd_t)
corenet_tcp_sendrecv_generic_node(auditd_t)
-@@ -183,16 +207,17 @@ logging_send_syslog_msg(auditd_t)
+@@ -183,16 +209,17 @@ logging_send_syslog_msg(auditd_t)
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
@@ -33335,7 +33339,7 @@ index 59b04c1..19dc9ce 100644
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_user_home_dirs(auditd_t)
-@@ -237,19 +262,29 @@ corecmd_exec_shell(audisp_t)
+@@ -237,19 +264,29 @@ corecmd_exec_shell(audisp_t)
domain_use_interactive_fds(audisp_t)
@@ -33366,7 +33370,7 @@ index 59b04c1..19dc9ce 100644
')
########################################
-@@ -268,7 +303,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
+@@ -268,7 +305,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
corecmd_exec_bin(audisp_remote_t)
@@ -33374,7 +33378,7 @@ index 59b04c1..19dc9ce 100644
corenet_all_recvfrom_netlabel(audisp_remote_t)
corenet_tcp_sendrecv_generic_if(audisp_remote_t)
corenet_tcp_sendrecv_generic_node(audisp_remote_t)
-@@ -280,10 +314,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -280,10 +316,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
files_read_etc_files(audisp_remote_t)
@@ -33394,7 +33398,7 @@ index 59b04c1..19dc9ce 100644
sysnet_dns_name_resolve(audisp_remote_t)
-@@ -326,7 +368,6 @@ files_read_etc_files(klogd_t)
+@@ -326,7 +370,6 @@ files_read_etc_files(klogd_t)
logging_send_syslog_msg(klogd_t)
@@ -33402,7 +33406,7 @@ index 59b04c1..19dc9ce 100644
mls_file_read_all_levels(klogd_t)
-@@ -355,13 +396,12 @@ optional_policy(`
+@@ -355,13 +398,12 @@ optional_policy(`
# sys_admin for the integrated klog of syslog-ng and metalog
# sys_nice for rsyslog
# cjp: why net_admin!
@@ -33419,7 +33423,7 @@ index 59b04c1..19dc9ce 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -371,6 +411,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
+@@ -371,6 +413,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
allow syslogd_t syslog_conf_t:file read_file_perms;
@@ -33427,7 +33431,7 @@ index 59b04c1..19dc9ce 100644
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
-@@ -389,30 +430,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -389,30 +432,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -33477,7 +33481,7 @@ index 59b04c1..19dc9ce 100644
# syslog-ng can listen and connect on tcp port 514 (rsh)
corenet_tcp_sendrecv_generic_if(syslogd_t)
corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -422,6 +479,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -422,6 +481,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
corenet_tcp_connect_rsh_port(syslogd_t)
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
@@ -33486,7 +33490,7 @@ index 59b04c1..19dc9ce 100644
corenet_tcp_connect_syslogd_port(syslogd_t)
corenet_tcp_connect_postgresql_port(syslogd_t)
corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -432,9 +491,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -432,9 +493,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@@ -33514,7 +33518,7 @@ index 59b04c1..19dc9ce 100644
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
-@@ -448,13 +524,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+@@ -448,13 +526,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
@@ -33532,7 +33536,7 @@ index 59b04c1..19dc9ce 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -466,11 +546,11 @@ init_use_fds(syslogd_t)
+@@ -466,11 +548,11 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -33547,7 +33551,7 @@ index 59b04c1..19dc9ce 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
-@@ -507,15 +587,40 @@ optional_policy(`
+@@ -507,15 +589,40 @@ optional_policy(`
')
optional_policy(`
@@ -33588,7 +33592,7 @@ index 59b04c1..19dc9ce 100644
')
optional_policy(`
-@@ -526,3 +631,26 @@ optional_policy(`
+@@ -526,3 +633,26 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -41777,7 +41781,7 @@ index db75976..e4eb903 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..858bd7a 100644
+index 9dc60c6..b921b57 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -42476,7 +42480,7 @@ index 9dc60c6..858bd7a 100644
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
-@@ -546,93 +747,128 @@ template(`userdom_common_user_template',`
+@@ -546,93 +747,132 @@ template(`userdom_common_user_template',`
selinux_compute_user_contexts($1_t)
# for eject
@@ -42593,6 +42597,10 @@ index 9dc60c6..858bd7a 100644
+ kde_dbus_chat_backlighthelper($1_usertype)
')
++ optional_policy(`
++ memcached_stream_connect($1_usertype)
++ ')
++
optional_policy(`
- cups_dbus_chat_config($1_t)
+ modemmanager_dbus_chat($1_usertype)
@@ -42619,31 +42627,31 @@ index 9dc60c6..858bd7a 100644
- inetd_use_fds($1_t)
- inetd_rw_tcp_sockets($1_t)
+ git_role($1_r, $1_t)
++ ')
++
++ optional_policy(`
++ inetd_use_fds($1_usertype)
++ inetd_rw_tcp_sockets($1_usertype)
')
optional_policy(`
- inn_read_config($1_t)
- inn_read_news_lib($1_t)
- inn_read_news_spool($1_t)
-+ inetd_use_fds($1_usertype)
-+ inetd_rw_tcp_sockets($1_usertype)
++ inn_read_config($1_usertype)
++ inn_read_news_lib($1_usertype)
++ inn_read_news_spool($1_usertype)
')
optional_policy(`
- kerberos_manage_krb5_home_files($1_t)
- kerberos_relabel_krb5_home_files($1_t)
- kerberos_home_filetrans_krb5_home($1_t, file, ".k5login")
-+ inn_read_config($1_usertype)
-+ inn_read_news_lib($1_usertype)
-+ inn_read_news_spool($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ lircd_stream_connect($1_usertype)
')
optional_policy(`
-@@ -642,23 +878,21 @@ template(`userdom_common_user_template',`
+@@ -642,23 +882,21 @@ template(`userdom_common_user_template',`
optional_policy(`
mpd_manage_user_data_content($1_t)
mpd_relabel_user_data_content($1_t)
@@ -42672,7 +42680,7 @@ index 9dc60c6..858bd7a 100644
mysql_stream_connect($1_t)
')
')
-@@ -671,7 +905,7 @@ template(`userdom_common_user_template',`
+@@ -671,7 +909,7 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -42681,7 +42689,7 @@ index 9dc60c6..858bd7a 100644
')
optional_policy(`
-@@ -680,9 +914,9 @@ template(`userdom_common_user_template',`
+@@ -680,9 +918,9 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -42694,33 +42702,37 @@ index 9dc60c6..858bd7a 100644
')
')
-@@ -693,32 +927,35 @@ template(`userdom_common_user_template',`
+@@ -693,32 +931,35 @@ template(`userdom_common_user_template',`
')
optional_policy(`
- resmgr_stream_connect($1_t)
+ resmgr_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
++ rpc_dontaudit_getattr_exports($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
-+ rpc_dontaudit_getattr_exports($1_usertype)
++ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ rpcbind_stream_connect($1_usertype)
++ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- slrnpull_search_spool($1_t)
-+ samba_stream_connect_winbind($1_usertype)
++ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
- usernetctl_run($1_t, $1_r)
-+ sandbox_transition($1_usertype, $1_r)
++ seunshare_role_template($1, $1_r, $1_t)
')
optional_policy(`
@@ -42729,10 +42741,6 @@ index 9dc60c6..858bd7a 100644
- virt_home_filetrans_virt_content($1_t, dir, "isos")
- virt_home_filetrans_svirt_home($1_t, dir, "qemu")
- virt_home_filetrans_virt_home($1_t, dir, "VirtualMachines")
-+ seunshare_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ slrnpull_search_spool($1_usertype)
+ ')
+
@@ -42741,7 +42749,7 @@ index 9dc60c6..858bd7a 100644
')
')
-@@ -743,17 +980,33 @@ template(`userdom_common_user_template',`
+@@ -743,17 +984,33 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -42758,12 +42766,12 @@ index 9dc60c6..858bd7a 100644
- userdom_manage_tmpfs_role($1_r, $1_t)
+ userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
-+
-+ ifelse(`$1',`unconfined',`',`
-+ gen_tunable($1_exec_content, true)
- userdom_exec_user_tmp_files($1_t)
- userdom_exec_user_home_content_files($1_t)
++ ifelse(`$1',`unconfined',`',`
++ gen_tunable($1_exec_content, true)
++
+ tunable_policy(`$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -42779,7 +42787,7 @@ index 9dc60c6..858bd7a 100644
userdom_change_password_template($1)
-@@ -761,83 +1014,107 @@ template(`userdom_login_user_template', `
+@@ -761,83 +1018,107 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -42873,7 +42881,8 @@ index 9dc60c6..858bd7a 100644
+ seutil_read_file_contexts($1_usertype)
+ seutil_read_default_contexts($1_usertype)
+ seutil_exec_setfiles($1_usertype)
-+
+
+- seutil_read_config($1_t)
+ optional_policy(`
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
@@ -42884,8 +42893,7 @@ index 9dc60c6..858bd7a 100644
+ kerberos_use($1_usertype)
+ init_write_key($1_usertype)
+ ')
-
-- seutil_read_config($1_t)
++
+ optional_policy(`
+ mysql_filetrans_named_content($1_usertype)
+ ')
@@ -42923,7 +42931,7 @@ index 9dc60c6..858bd7a 100644
')
#######################################
-@@ -868,6 +1145,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1149,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -42936,7 +42944,7 @@ index 9dc60c6..858bd7a 100644
##############################
#
# Local policy
-@@ -907,53 +1190,137 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,53 +1194,137 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
@@ -42990,11 +42998,8 @@ index 9dc60c6..858bd7a 100644
optional_policy(`
- alsa_read_rw_config($1_t)
+ alsa_read_rw_config($1_usertype)
- ')
-
-- optional_policy(`
-- dbus_role_template($1, $1_r, $1_t)
-- dbus_system_bus_client($1_t)
++ ')
++
+ # cjp: needed by KDE apps
+ # bug: #682499
+ optional_policy(`
@@ -43005,9 +43010,11 @@ index 9dc60c6..858bd7a 100644
+
+ optional_policy(`
+ obex_role($1_r, $1_t, $1)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- dbus_role_template($1, $1_r, $1_t)
+- dbus_system_bus_client($1_t)
+ dbus_role_template($1, $1_r, $1_usertype)
+ dbus_system_bus_client($1_usertype)
+ allow $1_usertype $1_usertype:dbus send_msg;
@@ -43088,7 +43095,7 @@ index 9dc60c6..858bd7a 100644
')
#######################################
-@@ -987,27 +1354,33 @@ template(`userdom_unpriv_user_template', `
+@@ -987,27 +1358,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -43126,7 +43133,7 @@ index 9dc60c6..858bd7a 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1018,23 +1391,60 @@ template(`userdom_unpriv_user_template', `
+@@ -1018,23 +1395,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -43178,16 +43185,16 @@ index 9dc60c6..858bd7a 100644
+
+ optional_policy(`
+ gpm_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ mount_run_fusermount($1_t, $1_r)
-+ mount_read_pid_files($1_t)
')
optional_policy(`
- netutils_run_ping_cond($1_t, $1_r)
- netutils_run_traceroute_cond($1_t, $1_r)
++ mount_run_fusermount($1_t, $1_r)
++ mount_read_pid_files($1_t)
++ ')
++
++ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
+ ')
+
@@ -43197,7 +43204,7 @@ index 9dc60c6..858bd7a 100644
')
# Run pppd in pppd_t by default for user
-@@ -1043,7 +1453,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1043,7 +1457,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -43208,7 +43215,7 @@ index 9dc60c6..858bd7a 100644
')
')
-@@ -1079,7 +1491,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1079,7 +1495,9 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -43219,7 +43226,7 @@ index 9dc60c6..858bd7a 100644
')
##############################
-@@ -1095,6 +1509,7 @@ template(`userdom_admin_user_template',`
+@@ -1095,6 +1513,7 @@ template(`userdom_admin_user_template',`
role system_r types $1_t;
typeattribute $1_t admindomain;
@@ -43227,7 +43234,7 @@ index 9dc60c6..858bd7a 100644
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
-@@ -1105,14 +1520,8 @@ template(`userdom_admin_user_template',`
+@@ -1105,14 +1524,8 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
@@ -43244,7 +43251,7 @@ index 9dc60c6..858bd7a 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1128,6 +1537,7 @@ template(`userdom_admin_user_template',`
+@@ -1128,6 +1541,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -43252,7 +43259,7 @@ index 9dc60c6..858bd7a 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1145,10 +1555,14 @@ template(`userdom_admin_user_template',`
+@@ -1145,10 +1559,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -43267,7 +43274,7 @@ index 9dc60c6..858bd7a 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1159,29 +1573,38 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1577,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -43310,7 +43317,7 @@ index 9dc60c6..858bd7a 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1614,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1618,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -43319,7 +43326,7 @@ index 9dc60c6..858bd7a 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1623,17 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1627,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -43338,7 +43345,7 @@ index 9dc60c6..858bd7a 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1240,7 +1669,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,7 +1673,7 @@ template(`userdom_admin_user_template',`
##
##
#
@@ -43347,7 +43354,7 @@ index 9dc60c6..858bd7a 100644
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
-@@ -1250,6 +1679,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1683,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -43356,7 +43363,7 @@ index 9dc60c6..858bd7a 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1262,8 +1693,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1697,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -43368,7 +43375,7 @@ index 9dc60c6..858bd7a 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1274,29 +1707,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1711,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -43411,7 +43418,7 @@ index 9dc60c6..858bd7a 100644
')
optional_policy(`
-@@ -1357,14 +1792,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1796,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -43430,7 +43437,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
-@@ -1405,6 +1843,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1405,6 +1847,51 @@ interface(`userdom_user_tmpfs_file',`
##
## Allow domain to attach to TUN devices created by administrative users.
##
@@ -43482,7 +43489,7 @@ index 9dc60c6..858bd7a 100644
##
##
## Domain allowed access.
-@@ -1509,11 +1992,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +1996,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -43514,7 +43521,7 @@ index 9dc60c6..858bd7a 100644
## Do not audit attempts to search user home directories.
##
##
-@@ -1555,6 +2058,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2062,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -43529,7 +43536,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
-@@ -1570,9 +2081,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2085,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -43541,7 +43548,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
-@@ -1629,6 +2142,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1629,6 +2146,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -43584,7 +43591,7 @@ index 9dc60c6..858bd7a 100644
########################################
##
## Create directories in the home dir root with
-@@ -1708,6 +2257,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1708,6 +2261,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -43593,7 +43600,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
-@@ -1741,10 +2292,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2296,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -43608,7 +43615,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
-@@ -1769,7 +2322,25 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2326,25 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
##
@@ -43635,7 +43642,7 @@ index 9dc60c6..858bd7a 100644
##
##
##
-@@ -1779,53 +2350,70 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1779,53 +2354,70 @@ interface(`userdom_manage_user_home_content_dirs',`
#
interface(`userdom_delete_all_user_home_content_dirs',`
gen_require(`
@@ -43718,7 +43725,7 @@ index 9dc60c6..858bd7a 100644
## Do not audit attempts to set the
## attributes of user home files.
##
-@@ -1845,6 +2433,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1845,6 +2437,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
##
@@ -43744,7 +43751,7 @@ index 9dc60c6..858bd7a 100644
## Mmap user home files.
##
##
-@@ -1875,15 +2482,18 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1875,15 +2486,18 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -43765,7 +43772,7 @@ index 9dc60c6..858bd7a 100644
##
##
##
-@@ -1891,18 +2501,18 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1891,18 +2505,18 @@ interface(`userdom_read_user_home_content_files',`
##
##
#
@@ -43789,7 +43796,7 @@ index 9dc60c6..858bd7a 100644
##
##
##
-@@ -1910,17 +2520,21 @@ interface(`userdom_dontaudit_read_user_home_content_files',`
+@@ -1910,17 +2524,21 @@ interface(`userdom_dontaudit_read_user_home_content_files',`
##
##
#
@@ -43815,7 +43822,7 @@ index 9dc60c6..858bd7a 100644
##
##
##
-@@ -1928,7 +2542,25 @@ interface(`userdom_dontaudit_append_user_home_content_files',`
+@@ -1928,7 +2546,25 @@ interface(`userdom_dontaudit_append_user_home_content_files',`
##
##
#
@@ -43842,7 +43849,7 @@ index 9dc60c6..858bd7a 100644
gen_require(`
type user_home_t;
')
-@@ -1938,7 +2570,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1938,7 +2574,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
##
@@ -43851,7 +43858,7 @@ index 9dc60c6..858bd7a 100644
##
##
##
-@@ -1946,10 +2578,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2582,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
##
##
#
@@ -43864,7 +43871,7 @@ index 9dc60c6..858bd7a 100644
')
userdom_search_user_home_content($1)
-@@ -1958,7 +2589,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2593,7 @@ interface(`userdom_delete_all_user_home_content_files',`
########################################
##
@@ -43873,7 +43880,7 @@ index 9dc60c6..858bd7a 100644
##
##
##
-@@ -1966,12 +2597,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2601,66 @@ interface(`userdom_delete_all_user_home_content_files',`
##
##
#
@@ -43942,7 +43949,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
-@@ -2007,8 +2692,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2696,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -43952,7 +43959,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
-@@ -2024,20 +2708,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2712,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -43977,7 +43984,7 @@ index 9dc60c6..858bd7a 100644
########################################
##
-@@ -2120,7 +2798,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2802,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
##
@@ -43986,7 +43993,7 @@ index 9dc60c6..858bd7a 100644
##
##
##
-@@ -2128,19 +2806,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2810,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
##
##
#
@@ -44010,7 +44017,7 @@ index 9dc60c6..858bd7a 100644
##
##
##
-@@ -2148,12 +2824,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2828,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
##
##
#
@@ -44026,7 +44033,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
-@@ -2390,11 +3066,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2390,11 +3070,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -44041,7 +44048,7 @@ index 9dc60c6..858bd7a 100644
files_search_tmp($1)
')
-@@ -2414,7 +3090,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3094,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -44050,7 +44057,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
-@@ -2661,6 +3337,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2661,6 +3341,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -44076,7 +44083,7 @@ index 9dc60c6..858bd7a 100644
########################################
##
## Read user tmpfs files.
-@@ -2677,13 +3372,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2677,13 +3376,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -44092,7 +44099,7 @@ index 9dc60c6..858bd7a 100644
##
##
##
-@@ -2704,7 +3400,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2704,7 +3404,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
##
@@ -44101,7 +44108,7 @@ index 9dc60c6..858bd7a 100644
##
##
##
-@@ -2712,14 +3408,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2712,14 +3412,30 @@ interface(`userdom_rw_user_tmpfs_files',`
##
##
#
@@ -44136,7 +44143,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
-@@ -2814,6 +3526,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3530,24 @@ interface(`userdom_use_user_ttys',`
########################################
##
@@ -44161,7 +44168,7 @@ index 9dc60c6..858bd7a 100644
## Read and write a user domain pty.
##
##
-@@ -2832,22 +3562,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3566,34 @@ interface(`userdom_use_user_ptys',`
########################################
##
@@ -44204,7 +44211,7 @@ index 9dc60c6..858bd7a 100644
##
##
##
-@@ -2856,14 +3598,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3602,33 @@ interface(`userdom_use_user_ptys',`
##
##
#
@@ -44242,7 +44249,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
-@@ -2882,8 +3643,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3647,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -44272,7 +44279,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
-@@ -2955,69 +3735,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,69 +3739,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -44373,7 +44380,7 @@ index 9dc60c6..858bd7a 100644
##
##
##
-@@ -3025,12 +3804,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,12 +3808,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
##
##
#
@@ -44388,7 +44395,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
-@@ -3094,7 +3873,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +3877,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -44397,7 +44404,7 @@ index 9dc60c6..858bd7a 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3110,29 +3889,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +3893,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -44431,7 +44438,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
-@@ -3214,30 +3977,48 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,31 +3981,49 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -44464,6 +44471,7 @@ index 9dc60c6..858bd7a 100644
########################################
##
-## Do not audit attempts to relabel files from
+-## user pty types.
+## Relabel files to unprivileged user pty types.
+##
+##
@@ -44483,10 +44491,11 @@ index 9dc60c6..858bd7a 100644
+########################################
+##
+## Do not audit attempts to relabel files from
- ## user pty types.
++## user pty types.
##
##
-@@ -3269,7 +4050,83 @@ interface(`userdom_write_user_tmp_files',`
+ ##
+@@ -3269,7 +4054,83 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -44571,7 +44580,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
-@@ -3287,7 +4144,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3287,7 +4148,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -44580,7 +44589,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
-@@ -3306,6 +4163,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3306,6 +4167,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -44588,7 +44597,7 @@ index 9dc60c6..858bd7a 100644
kernel_search_proc($1)
')
-@@ -3382,6 +4240,42 @@ interface(`userdom_signal_all_users',`
+@@ -3382,6 +4244,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -44631,7 +44640,7 @@ index 9dc60c6..858bd7a 100644
########################################
##
## Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4296,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4300,24 @@ interface(`userdom_sigchld_all_users',`
########################################
##
@@ -44656,7 +44665,7 @@ index 9dc60c6..858bd7a 100644
## Create keys for all user domains.
##
##
-@@ -3435,4 +4347,1680 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4351,1680 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 2c2a540..54cdf61 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -8465,7 +8465,7 @@ index dcd774e..c240ffa 100644
allow $1 bacula_t:process { ptrace signal_perms };
diff --git a/bacula.te b/bacula.te
-index f16b000..6cf82b3 100644
+index f16b000..941d3fd 100644
--- a/bacula.te
+++ b/bacula.te
@@ -43,7 +43,7 @@ role bacula_admin_roles types bacula_admin_t;
@@ -8488,7 +8488,15 @@ index f16b000..6cf82b3 100644
corenet_sendrecv_hplip_server_packets(bacula_t)
corenet_tcp_bind_hplip_port(bacula_t)
corenet_udp_bind_hplip_port(bacula_t)
-@@ -148,9 +152,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
+@@ -105,6 +109,7 @@ files_read_all_symlinks(bacula_t)
+ fs_getattr_xattr_fs(bacula_t)
+ fs_list_all(bacula_t)
+
++auth_use_nsswitch(bacula_t)
+ auth_read_shadow(bacula_t)
+
+ logging_send_syslog_msg(bacula_t)
+@@ -148,9 +153,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
domain_use_interactive_fds(bacula_admin_t)
@@ -10875,7 +10883,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 550b287..b988f57 100644
+index 550b287..ad3330f 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -10960,7 +10968,7 @@ index 550b287..b988f57 100644
')
optional_policy(`
-@@ -92,11 +108,47 @@ optional_policy(`
+@@ -92,11 +108,51 @@ optional_policy(`
')
optional_policy(`
@@ -10971,6 +10979,10 @@ index 550b287..b988f57 100644
+')
+
+optional_policy(`
++ ipa_manage_lib(certmonger_t)
++')
++
++optional_policy(`
kerberos_use(certmonger_t)
+ kerberos_read_keytab(certmonger_t)
')
@@ -33304,20 +33316,22 @@ index d443fee..6cbbf7d 100644
diff --git a/ipa.fc b/ipa.fc
new file mode 100644
-index 0000000..9278f85
+index 0000000..48d7322
--- /dev/null
+++ b/ipa.fc
-@@ -0,0 +1,4 @@
+@@ -0,0 +1,6 @@
+/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
+
+/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
+
++/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0)
++
diff --git a/ipa.if b/ipa.if
new file mode 100644
-index 0000000..70c67d3
+index 0000000..4095bed
--- /dev/null
+++ b/ipa.if
-@@ -0,0 +1,38 @@
+@@ -0,0 +1,58 @@
+## Policy for IPA services.
+
+########################################
@@ -33356,12 +33370,32 @@ index 0000000..70c67d3
+ allow $1 ipa_otpd_t:unix_stream_socket connectto;
+')
+
++########################################
++##
++## Allow domain to manage ipa lib files/dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipa_manage_lib',`
++ gen_require(`
++ type ipa_var_lib_t;
++ ')
++
++ manage_files_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
++ manage_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
++')
++
++')
diff --git a/ipa.te b/ipa.te
new file mode 100644
-index 0000000..0fd2678
+index 0000000..b60bc5f
--- /dev/null
+++ b/ipa.te
-@@ -0,0 +1,40 @@
+@@ -0,0 +1,43 @@
+policy_module(ipa, 1.0.0)
+
+########################################
@@ -33378,6 +33412,9 @@ index 0000000..0fd2678
+type ipa_otpd_unit_file_t;
+systemd_unit_file(ipa_otpd_unit_file_t)
+
++type ipa_var_lib_t;
++files_type(ipa_var_lib_t)
++
+########################################
+#
+# ipa_otpd local policy
@@ -61065,7 +61102,7 @@ index 8eb3f7b..1ff0fe3 100644
+userdom_read_all_users_state(pkcs_slotd_t)
diff --git a/pki.fc b/pki.fc
new file mode 100644
-index 0000000..726d992
+index 0000000..e6592ea
--- /dev/null
+++ b/pki.fc
@@ -0,0 +1,56 @@
@@ -61074,7 +61111,7 @@ index 0000000..726d992
+/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/etc/sysconfig/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
-+/var/log/pki gen_context(system_u:object_r:pki_log_t,s0)
++/var/log/pki(/.*)? gen_context(system_u:object_r:pki_log_t,s0)
+/usr/bin/pkidaemon gen_context(system_u:object_r:pki_tomcat_exec_t,s0)
+/etc/pki/pki-tomcat/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+
@@ -61420,7 +61457,7 @@ index 0000000..798efb6
+')
diff --git a/pki.te b/pki.te
new file mode 100644
-index 0000000..b7dfce7
+index 0000000..22f672d
--- /dev/null
+++ b/pki.te
@@ -0,0 +1,274 @@
@@ -61453,7 +61490,7 @@ index 0000000..b7dfce7
+files_type(pki_tomcat_etc_rw_t)
+
+type pki_tomcat_cert_t;
-+files_type(pki_tomcat_cert_t)
++miscfiles_cert_type(pki_tomcat_cert_t)
+
+tomcat_domain_template(pki_tomcat)
+
@@ -91068,10 +91105,10 @@ index 0000000..ddfed09
+')
diff --git a/speech-dispatcher.te b/speech-dispatcher.te
new file mode 100644
-index 0000000..57372d0
+index 0000000..931fa6c
--- /dev/null
+++ b/speech-dispatcher.te
-@@ -0,0 +1,50 @@
+@@ -0,0 +1,51 @@
+policy_module(speech-dispatcher, 1.0.0)
+
+########################################
@@ -91082,6 +91119,7 @@ index 0000000..57372d0
+type speech-dispatcher_t;
+type speech-dispatcher_exec_t;
+init_daemon_domain(speech-dispatcher_t, speech-dispatcher_exec_t)
++application_executable_file(speech-dispatcher_exec_t)
+
+type speech-dispatcher_log_t;
+logging_log_file(speech-dispatcher_log_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1affd65..57bb4e8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 39%{?dist}
+Release: 40%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -584,6 +584,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Mar 26 2014 Miroslav Grepl 3.13.1-40
+- update storage_filetrans_all_named_dev for sg* devices
+- Allow auditctl_t to getattr on all removeable devices
+- Allow nsswitch_domains to stream connect to nmbd
+- Allow rasdaemon to rw /dev/cpu//msr
+- fix /var/log/pki file spec
+- make bacula_t as auth_nsswitch domain
+- Allow certmonger to manage ipa lib files
+- Add support for /var/lib/ipa
+
* Tue Mar 25 2014 Miroslav Grepl 3.13.1-39
- Manage_service_perms should include enable and disable, need backport to RHEL7
- Allow also unpriv user to run vmtools